Enterprise Software

How to manage Group Policy updates locally and remotely

Follow this tutorial to learn how to manage Global Policy Objects updates locally and remotely using the CLI and PowerShell.

Image: Jesus Vigo/TechRepublic

For systems administrators of Windows-based networks, there is no greater control suite than Systems Center Configuration Manager (SCCM). However, for all but the largest of enterprise environments, the cost remains prohibitive.

This is why Microsoft has made great inroads to support SMBs in gaining greater control of their infrastructure with technologies such as Group Policy (GP), Microsoft Deployment Toolkit (MDT), and PowerShell.

This how-to focuses on being able to manage GP propagation. I highlight helpful commands used to determine GP inheritance, and explain how to apply Group Policy Objects (GPO) locally and remotely.


  • Clients running Windows Vista+
  • Group Policies configured and applied to computers and/or users

Determine GPO inheritance (local only)

What is it?

Gpresult /v >C:\results.txt (Figure A)

Figure A

Image: Jesus Vigo/TechRepublic

What does it do?

The gpresult command, which is executed through the CLI, offers a readout of all GPOs applied to the computer. By default, the display is printed on-screen; however, by adding the /v>C:\results.txt argument, the information will be output to a text file and saved to the root of the drive for review.

How is it helpful?

This command identifies which assigned GPOs are not applying their configured settings to a workstation. It is typically used in conjunction with the gpupdate command to ensure that the latest settings are being applied from the domain controller.

Update GP settings from domain controller (local only)

What is it?

Gpupdate /force (Figure B)

Figure B

Image: Jesus Vigo/TechRepublic

What does it do?

This command will force the client to check with the domain controller to apply the most recent GPOs available that are assigned to the workstation. By executing the command with the /force argument, the default 30-minute query for updated GPOs is ignored, and the computer checks with the domain controller to apply available settings changes immediately.

How is it helpful?

Typically, Active Directory (AD) domains will replicate changes made to the topology after a finite amount of time has passed since the initial change. By default, after the initial change AD will begin a countdown timer that will propagate the changes that have occurred during that time frame to all AD domain controllers.

Depending on the size of the network, the amount of data that requires replication and any latency that may be introduced between site-to-site connections, it may take a considerable amount of time for changes executed at one site to replicate across the LAN/WAN to another site. Gpupdate cuts this delay down considerably by allowing each client to query the domain controller for any changes immediately.

Note: Both commands listed above are executed from the Command Line Interface (CLI) and require the commands to be run on each computer locally. The commands may be run manually, scripted, or via a third-party application, such as PSExec. To execute remotely via PowerShell, see the Invoke-GPUpdate command below.

Update or sync GP updates (remote/local)

What is it?

Invoke-GPUpdate -Computer ComputerName -Force (Figure C)

Figure C

Image: Jesus Vigo/TechRepublic

What does it do?

Using PowerShell, a sys admin can achieve greater, more granular control over local and remote systems. In this case, using the Invoke-GPUpdate command with the -ComputerName switch will allow you to remotely select a computer by its hostname, DNS name, or IP address and execute the command on it. Specifying the -Force switch will reapply the GP settings on the target machine, while the -Sync switch executes the foreground updating of settings immediately.

How is it helpful?

Similar to the gpupdate command in the previous section, its PowerShell equivalent offers the same control over workstations and executing GPO settings updates.

It differs in that the Invoke-GPUpdate PS cmdlet will allow for it to run on local device as well as remotely. Additionally, a list of computer names may be piped into the Invoke-GPUpdate command, allowing it to run on multiple remote computers from just the admin station. The command may also be scripted or run via third-party applications, as needed.

Share your experiences

Have you implemented GP at your organization? If so, how do you best manage settings on your workstations? We'd love to hear from you; please respond below in the comments.

Also see


Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...

Editor's Picks

Free Newsletters, In your Inbox