Cloud

How to reduce the Group Policy refresh interval

Group Policy refreshes computer accounts on a default schedule of 90 minutes. Rick Vanover shows ways to reduce this schedule when necessary.

Group Policy is a great way to deploy settings to users and computers centrally -- unless you wind up waiting for the updates. The default interval to update the Group Policy to a computer account is 90 minutes; further, there is an offset of 0-30 minutes. While this schedule is fine for most situations, there may be times when you need to make it shorter for quick updates.

There are various ways to shorten the Group Policy refresh interval. But be careful when you make these changes because it will increase the traffic from domain controllers to computer accounts.

One approach is to have the server computer accounts receive a tighter refresh policy, with the assumption that there are fewer servers than client computers. The refresh interval is defined in Group Policy in the Policies | Administrative Templates | System | Group Policy section in a value called Group Policy Refresh For Computers (Figure A). After the Group Policy Refresh For Computers value is selected, it is represented in minutes that will determine how frequently the computer accounts will try to update the policy. Figure A

Click the image to enlarge.
Another option is the offset labeled Random Time Added. The offset is important because it ensures that the domain controllers don't get perpetually bamboozled with request for updates. Figure B has a tightened value for the update refresh interval. Figure B

Click the image to enlarge.

A good approach is to tighten the update interval when a number of frequent changes need to be deployed, such as after a move or a major system update. But consider whether a tighter interval is needed, especially because in most cases the updates do not retrieve a new configuration for the computer account. On the other hand, large environments may want to make this interval much larger when thousands of computer accounts may be in use.

How have you adjusted the computer account refresh value? Share your comments in the discussion.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

4 comments
Alan Shortall
Alan Shortall

I think a Group Policy of 90 minutes is too long. I prefer having it within an hour. Better yet, have it in random time. - Unilife Alan Shortall

elrico-fantastica
elrico-fantastica

i used to use a kix script to run through a list of ip addresses.. it would read in the IP address then connect using a remote console then run the command gpupdate /force this would kick off every client refreshing its policies. a bit long winded to setup but it meant i could domain wide manual refreshes at will.

sstolar
sstolar

If you are changing the refresh interval because you want to get recent changes out more quickly, you do not need to change group policy and burden the network long term. Special Operations Software has a free tool called SpecOps GPUpdate at www.specopssoft.com. Not only can you force Group Policy updates out to your computers, you can start, shutdown or restart any computer. You can also tell your computers to check in with your WSUS server with this free tool. You can select one computer, several computers, an OU or any domain that is in Active Directory.

Gis Bun
Gis Bun

I would assume that if you change these settings, they take effect immediately for the AD. If so, does the policies get done immediately or wait for the new time frame [and offset].

Editor's Picks