Group Policy is a popular Active Directory service that many organizations use today. If your organizations uses Group Policy, chances are you’re familiar with the gpupdate command; more specifically, the
gpupdate /force command.
Discover, report and prevent insecure Active Directory account passwords in your environment with Specops’ completely free Password Auditor Pro. Download it today!
Do you know what gpupdate is doing? Do you ever need to use the force parameter? And if yes, when does it make sense?
In this article, you’re going to learn what gpupdate does, how it works, and how you can best take advantage of its options.
Table of Contents
What is GPUpdate?
Gpupdate is a command-line utility from Microsoft that comes with all versions of the Windows operating system. It’s a utility that controls the application of group policy objects (GPOs) on assigned Active Directory computers.
Typically, when an administrator assigns a GPO to a computer or user, that computer automatically checks with a domain controller and applies the settings defined in the GPO. There is no intervention needed; the process is automatic.
There are times outside of the regular automatic schedule when an administrator needs to force the computer to check for new or changed GPOs. This scenario is where gpupdate comes in handy.
The gpupdate command, in a nutshell, checks with a domain controller for any new or updated GPOs assigned to a computer and immediately attempts to apply them.
If you’d like to run any of the examples provided in this tutorial, this article’s prerequisites are light.
- A Windows computer joined to an Active Directory domain
- At least one GPO assigned to the computer you’re working on
How Gpupdate Works
When you’re sitting in front of a domain-joined computer, open up the Windows command prompt or PowerShell and run
gpupdate, a series of tasks will begin.
- Gpupdate starts the Group Policy Client service. This service is responsible for discovering and applying new Group Policy settings.
2. The Group Policy Client service then reaches out to the computer’s logon DC and checks to see if any new GPOs or updates to existing GPOs are available.
3. If the Group Policy Client service finds any new GPOs or any that you’ve changed locally with gpedit.msc, the process processes all client-side extensions (CSEs) starting with computer settings followed by user settings.
The Group Policy Client service logs events under Applications and Services Log\Microsoft\Windows\GroupPolicy\Operational.
Related: How Group Policy Works (In Detail)
4. Once finished, the Group Policy Client service then waits until the next refresh interval, which is, by default, 90 minutes plus a random offset of up to 30 minutes.
Some group policy settings require the user to log off or restart the computer to go into effect. If one of these settings were part of the policy, gpupdate will ask to log off or restart the computer.
/force Switch Explained
You now know the basics of what happens when you run
gpupdate. So far, it seems like everything works, right? In a typical scenario, running
gpupdate and allowing it to walk through its process works just fine. But there are occasions where you need to force some things along.
One of the most widely used parameters of gpupdate is the
/force switch. This switch is one that’s somehow been engrained in every IT pro’s mind as a necessary switch to use. Contrary to popular belief, you don’t actually need it unless under certain circumstances.
By default, gpupdate is smart; it compares all current settings with any new settings and only applies them. But, you can also force gupdate to reapply all settings using the
/force switch. Why would you need to do that?
Sometimes, settings drift from their expected values. For example, if a user disables a Windows feature controlled by an existing policy, running
gpupdate /force will force the Group Policy Client service to reassess the value and return it to the expected value. Or, perhaps, you want to add a user back to a restricted group from which it was removed.
The Group Policy Client service reapplies some settings regularly, such as security settings (default interval is 16 hours).
The biggest reason not to use the
/force switch is when dealing with settings that can only be applied at logon or startup. When this happens, Windows will prompt you to log off or restart every time you run
gpupdate /force, even if new settings don’t require such action.
Digging into Gpupdate’s Parameters
Now that you have a basic understanding of how gupdate works and know when and how to use the
/force switch let’s now focus on all of the other functionality gpupdate provides.
As expected, the gpupdate command can provide information about each parameter and what they do. Although lacking in depth, the
/? is handy if you quickly need to get a refresher on how to perform a particular task.
Targeting Computer or User Settings
By default, gpupdate tells the Group Policy Client service to process both computer and use settings. If you only need to refresh one of these sets, you can use the
You have two options when using the
/target parameter; you can target computer or user settings with
You should only use the
/targetparameter under specific circumstances, specifically targeting the user settings first, followed by computer settings. Why? Sometimes a policy will have overlapping user and computer settings. When this happens, the user settings override the computer settings, which may lead to unexpected behavior.
Creating a Timeout
Gpupdate typically runs pretty quick, but problems with an unresponsive DC or Group Policy client service may hang up the process. If you’re running gpupdate in a script that requires further tasks to perform after running gpupdate, you may want to create a timeout.
You can force gpupdate to return control to the command window after a certain period of time and push policy-processing to the background using the
/wait parameter. Available values for the
/wait parameter are below.
|0||Immediately returns control to console|
|-1||Waits indefinitely for gpupdate to finish|
|1+||Waits the number of seconds provided|
Forcing an Automatic Logoff
Some settings will require the user to log off and back on if background processing isn’t possible. By default, gpupdate will prompt you when finished if this is the case. If, however, you want to log off immediately once gpupdate is finished, use the
/logoff Switch May not Always Work
Tested on both Windows 10 and Windows Server 2019, you’ll sometimes run into an unknown issue where the
/logoff parameter will not work.
For example, the client below has a policy assigned to it to enable desktop redirection for the logged-in user. Folder redirection settings can only be processed at logon and not during the background refresh of policies.
Without using the
/logoff switch, a regular user sees the warning below to log off when a new setting requires it, as expected. But regardless if you use the
/logoff switch or not, you’ll still be prompted, and Windows will not log off.
To ensure you get logged off in thie scenario, you must also use the
Forcing an Automatic Restart
Similar to the
/logoff switch, the
/boot switch automatically restarts a computer if Windows cannot process any computer settings in the background. The
/boot switch is commonly used for computer-targeted software installations.
Forcing Synchronous Processing
The Group Policy Client service applies policies in parallel (asynchronously) or one at a time (synchronously). Windows processes policies synchronously only at user logon and computer startup otherwise asynchronously.
During synchronous processing, the Group Policy Client invokes all of its CSEs even if there has been no settings changed. Synchronous processing is necessary because some settings are dependent on others.
You can combine the
/sync switch with either
/target: user or
/target:computer. You can only use the
/sync switch while running the command window as an administrator. If not, you’ll see the Access Denied error messages below.
Scan your Active Directory for 750M+ known leaked passwords with a free read-only Password Auditor scan from Specops.
Asynchronous processing is a way to optimize the sign-in experience of domain users. Before Windows XP, all policy processing was synchronous, with the only downside that some settings required two logons or two restarts before being applied. The default mode since Windows XP is now asynchronous.
If you followed along with this article, you should now have a clear idea about what gpupdate does and how you can use its switches to change its behavior. If you are interested in using gpupdate on a larger scale or automating with it, be sure to check its PowerShell counterpart,