One challenge that we face when it comes to group policy management has to do with how do we get updates out to our users and our computers once we've made them on a group policy object. Because by default, a user and computer will refresh and go through and do a group policy update every 90 minutes, but what happens when we make a change and we want to make that change take effect right now. Well there's a couple different things that we can do, so let me show you how they're done.
In order to demonstrate this, I'm gonna go into DC01. Here on DC01, we're looking at the server manager, and the first thing that I wanna show you is something to where I want you to treat this computer that we're looking at as being the client. Okay, this is the machine that needs to be updated, and in order to do this, we have to go to the command prompt. So I'm gonna click on Start, type in C-M-D, take us right into the command prompt. Here in the command prompt window, the command that we can use, and it's been around pretty much as long as group policy has been around, is gpupdate.
Just simply gpupdate, I'll hit enter, and you'll see here that it says it's updating the policy, and in just a moment, it's gonna tell me that the Computer Policy has been updated. There it is, and after that, it will tell me that the User Policy has been updated, and boom, there we go, it's all completed. This is what I would do out on a machine to have that machine refresh through all the group policies that are linked to containers that affect this particular computer, or the user that's logged in to this computer.
Now please, keep in mind, that this is done on a computer-by-computer basis, right, so this is just one at a time. It is not a remote update, so it's something that, in a scenario where, let's say a user has called you and there's a problem and you realize that problem was caused by a group policy, you update that group policy, and you want the user to get the changes right away, you would tell them to open up a command prompt and run gpupdate. This would not be something that would work very well if you made a change and you wanted to update a lot of computers all at once.
I'll show you how to do that in just a moment. Before I do, I do wanna also show you that gpudate has some switches that you might wanna be familiar with. So I'm gonna type in gpupdate and put in a forward slash question mark, for help, and then from there, I'm gonna scroll back up to the top, and point out a couple of switches. Now there's a number of them here to look at. The two main switches that I want you to be familiar with are the very first two listed here. The first one is target. This one confuses a lot of people.
If you do forward slash target, colon, and then you have computer or user. Now a lot of people think, oh this is a great way for me to do a gpudate and do it targeting a specific computer or a specific user. That is not what this is. We're not saying, aim this at a certain computer or user, but rather, we're targeting to only update the computer settings, or only update the user settings. That's what that switch actually means. Okay, this is not a way of targeting a specific computer or user.
The next one is forward slash force, and this is a way to forcefully say to the computer, and really or the user logged in, please reapply the entire group policy. Pretend like we're starting from scratch. Do all the settings, not just anything that might have changed. So that's what forward slash force is. Now, the next one here. I'm gonna kinda skip past this wait switch. It's not one that is commonly used, and you can read what it does here. It sets the number of seconds to wait for the policy processing to finish.
Not a big issue there. And the next two, slash logoff and slash boot, while they can be important, I kinda have not really seen where it makes a whole lot of sense to use them. Slash logoff, you'll see here, it says causes a logoff after the Group Policy settings have been updated, and slash boot causes the computer to reboot after the Group Policy settings have been applied. Now, some updates, and you'll read if you read the rest of the help document here, you'll see is because certain client-side extensions don't actually update unless the user actually logs off and logs back in, or unless the computer is actually rebooted.
So, the switches make a lot of sense. The problem is, why not just ask the user to logoff and log back on, or to reboot the computer? And then the gpupdate command just doesn't even need it. All right, so , yes, technically you can do the gpupdate to make sure the system truly has updated and then do the logoff or the reboot but personally I've found that it's just an unnecessary step. You can just have logoff and log back on, or just simply do a reboot. All right, so that's the gpupdate command.And More... To Know.