One of the cure-all’s we use at work for fixing issues with our AD-joined systems is to run the following command:
gpupdate /force
Fixes everything! (not)
So when this Helge Klien post came in this week with it’s incendiary lead-in, I had to pay attention.
How Group Policy Impacts Logon Performance #1: CSEs • Helge Klein
Gpupdate /force is for wimps!
Say you have changed a Group Policy setting in the domain and want to test its effects on a member computer. You open a command prompt and type:
gpupdate /forcePlease pause and think this over before hitting enter. Why the /force switch? To show that stupid machine who is its master? Are you one of those people that click Apply before they click OK? Do you wear both belt and suspenders? Of course you do not! So let us take a look at the help text for the /force parameter:
Reapplies all policy settings. By default, only policy settings that have changed are applied.
That is quite telling. Group Policy keeps track of what has been applied and does not reapply settings that are already present. Nice! So why would we override this optimization? We would not. Using /force typically is only required when your Group Policy infrastructure (i.e. AD and/or DNS) are broken. Go fix it instead of telling poor old Group Policy to forego optimizations!
That got me digging just a little bit deeper into the whole gpupdate /force thing we do and tell others to do without consideration.
GPUpdate or GPUpdate /force? Learn the difference! - DeployHappiness.
From Joseph Moody’s entertaining post:
As it turned out, Group Policy was always working – I just didn’t understand it. So what’s the difference between GPUpdate and GPUpdate /force? Well –
GPUpdate: Applies any policies that is new or modified
GPUpdate /force: Reapplies every policy, new and old.
So which one should I use? 99% of the time, you should only run gpupdate. If you just edited a GPO and want to see results immediately, running gpupdate will do the trick. In fact, running GPUPdate /force on a large number of computers can be damaging to your career. This is because these machines will hit a domain controller and reevaluate every GPO applicable to them.
Note: If you are looking for the remote version of GPUpdate in Active Directory Users and Computers, see this guide.
Anything else?
Since you asked, why yes there is! GPUpdate has a few other options for you to use.
/LogOff: Certain GPOS, such as Folder Redirection, can’t apply in the background. If a logoff is required, this switch will initiate it.
/Boot: If a policy, such as software installation, needs to be applied – the boot command will reboot the machine.
/Sync: Useful for changing the foreground (startup/logon) processing to synchronous.
Also handy after running a “gpupdate” command: “gpresult /h c:\temp\myGPreport.html”
Open with IE or Chrome or something and check your results of applied policies. If you use this technique, you can quickly search through the results with the search feature of the browser to highlight and jump to specific policy references you are looking for. It is a real time saver
Bonus Material
- Group Policy - GPResult Examples - The Sysadmins
- RSoP and GPResult – Must-Know Tools When Using Group Policy - 404 Tech Support
- GPResult Command or RSOP? - DeployHappiness
Cheers,
Claus Valca.
No comments:
Post a Comment