none
Gpudate /force (Point to a specific domain controller)

    Question

  • I have an environment that does not have access to all domain controllers by design.  Is there a way to point to a specific domain controller when updating group policy on a server or workstation?  Thanks

    Shawn

    Friday, March 30, 2012 1:08 PM

All replies

  •  
    > I have an environment that does not have access to all domain
    > controllers by design.  Is there a way to point to a specific domain
    > controller when updating group policy on a server or workstation?  Thanks
     
    No, there isn't. No direct way. But you may
    a) use site coverage (check out GPO settings in Computer Configuration -
    Policies - Administrative Templates - System - NetLogon - DC Locator DNS
    Records)
    b) tweak DNS or hosts (not recommended)
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, March 30, 2012 3:10 PM
  • Hi,


    According to the description, I understand that you want to run gpupdate /force on the DC via domain user.


    If there is anything misunderstand, please feel free to let me know.


    I have an environment that does not have access to all domain controllers by design.


    >> This is a policy setting under Default Domain Controllers Policy: Computer Configuration -> Policies -> Windows Settings -> Security Setting -> User Rights Assignment -> Allow log on locally.


    Default:

    On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.


    On domain controllers: Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators.


    For details: Allow log on locally (http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx)


    We can add the domain user to Allow log on locally so that domain user can logon DC.


    Is there a way to point to a specific domain controller when updating group policy on a server or workstation?


    >> I'd like to suggest to use RDP to achieve the target:


    Allow users to connect remotely using remote desktop Services
    ===========================================
    1. Windows Server 2008 and later: Computer Configuration ->Policies ->Administrative Templates ->Windows Components ->remote desktop Services ->remote desktop Session Host ->Connections ->Allow users to connect remotely using Remote Desktop Services
    2. Window Server 2003: Computer Configuration ->Administrative Templates ->Windows Components ->Terminal Services ->Allow users to connect remotely using Terminal Services

    Restrict Group
    ==========
    1. Computer Configuration -> Policies -> Windows Settings -> Security Settings
    2. Right-click Restricted Groups, and then click Add Group.
    3. Click Browse, add Remote Desktop Users, click Ok.
    4. Add the members  what you want.

    Allow log on through Terminal Services(RDS on DC)
    ==========================
    Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on through Terminal Services


    Then, domain users can logon via RDP to run gpupdate /force.


    Hope this helps!

     

     

    Best Regards
    Elytis Cheng



    TechNetSubscriber Support

    If you are TechNetSubscription user and have any feedback on our support quality, please send your feedback here.



     


    Elytis Cheng

    TechNet Community Support

    Monday, April 02, 2012 7:32 AM
    Moderator
  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW,  we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Thursday, April 05, 2012 9:31 AM
    Moderator