Recent Changes - Search:

Tips & Tricks

Windows Tips

Vista Tips

MS Server Tips

Apple Tips

Linux Tips

Networking Tips

Business

powered by PmWiki

MSTips /

MSDCGroupPolicy

Hide Contents

Table of Contents

MS Domain Controller Group Policy Observations

I feel confident that it has stopped many IT Professionals from using MS Group Policies to control "User Rights and Privileges" on a complex user environment. It is a most frustrating thing to go to the effort to update your GP on a DC only to find it seems not to work because the refresh rate for these policies are set to the default 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes. Because this fact is not well documented this means many technician have tried to understand GPO and during implementation nothing happens unless a forced refresh to both DC and Client PC is initiated.

How to Force Refresh Group Policy in W2k3

To trigger Group Policy application for the client and DC, type the following line at a command prompt on first the Domain Controller Server and Enter then the Client Workstation used for the test environment:
gpupdate /force

Syntax

gpupdate [/target:{computer | user}] [/force] [/wait:Value] [/logoff] [/boot]

Parameters

/target:{computer | user}
Processes only the Computer settings or the current User settings. By default, both the computer settings and the user settings are processed.

/force
Ignores all processing optimizations and reapplies all settings.

/wait:Value
Number of seconds that policy processing waits to finish. The default is 600 seconds. 0 equals no wait, and -1 equals wait indefinitely.

/logoff
Logs off after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the user logs on, such as user Group Policy Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require the user to log off.

/boot
Restarts the computer after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the computer starts up, such as computer Group Policy Software Installation. This option has no effect if there are no extensions called that require the computer to be restarted.

/?
Displays help at the command prompt.

Examples

The following examples show how you can use the gpupdate command:

gpupdate

gpupdate /target:computer

gpupdate /force /wait:100

gpupdate /boot

This command refreshes both the user policy and the machine policy for Group Policy settings that are stored in Active Directory in the Domain Controller and the XP upwards client. This command thankfully supersedes the now obsolete /refreshpolicy option for the secedit command used in W2K Servers.

How to Force Refresh GP on W2k Servers

To trigger Group Policy application for the local computer, type the following line at a command prompt: secedit /refreshpolicy machine_policy /enforce

To trigger Group Policy application for the currently logged on user, type the following line at a command prompt: secedit /refreshpolicy user_policy /enforce

After Windows 2000 has accepted the request, the following text should be displayed to the user: Group policy propagation from the domain has been initiated for this computer. It may take a few minutes for the propagation to complete and the new policy to take effect. Please check Application Log for errors, if any.

All text is available under the terms of the GNU Free Documentation License
Privacy Policy | About Wikitec | Disclaimer | Copyright

Edit - History - Print - Recent Changes - Search
Page last modified on 2008-01-11 09:25