The Sysadmins

Tips and tricks from the Sysadmins

Group Policy – GPUpdate an OU of Computers

There are times when you need to remotely refresh the group policy on a group of computers, bypassing the 90 minute (+30 minute offset) default interval. Let’s look at 3 ways to achieve that, two of the methods require Server 2012 or Windows 8 with the remote administration tools to initiate the refresh, and the 3rd method can be initiated from Windows 7 or Server 2008 R2.

Method 1. Server 2012 introduced the functionality to remotely refresh Group Policy settings for all computers in an OU from the Group Policy Management Console (GPMC). When you use this method, there is a random delay of up to 10 minutes, with the view of decreasing load on network traffic- this random delay cannot be configured when using the GUI. This method supports a Group Policy refresh for Windows Server 2012 R2 Preview, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8.1 Preview, Windows 8, Windows 7 and Windows Vista clients.

Open the GPMC, right click the OU of Computers you’d like to refresh and select Group Policy Update.


This will return the number of computer objects in the OU, and ask if you’re sure.


This will run a GPUpdate /force on all computer objects in the OU selected and any child OUs and will refresh both the computer and user policies.


Method 2. This method, requires Server 2012, or Windows 8 with the remote server administration tools. The following command will retrieve the computer objects from the Servers OU and run the Invoke-GPUpdate against them.

get-adcomputer -SearchBase "OU=Servers,DC=thesysadmins,DC=local" -Filter * | %{invoke-gpupdate -Computer $_.Name -RandomDelayInMinute 0; "Refreshing host $_."}

Be aware, this method will display the command prompt with “Updating Policy” on the computer objects you run it against. So bear this in mind if you’re running this against your desktops or laptops with users logged in.


Method 3. Fear not! If you’re not using Server 2012, you can still achieve the above with fairly little effort using Powershell to generate a list of computers and PSEXEC to run the GPUpdate command. The following Powershell will get you a list of computers from the Servers OU and export them to a text file on the C drive. You can replace this with a UNC path if desired. I’ve added a dummy first entry to the text file, for some reason PSExec fails the first entry so this gets around that.

Add-Content -path C:\Servers.txt -Value Dummy ; Get-ADComputer -LDAPFilter "(name=*)" -SearchBase "OU=Servers,DC=thesysadmins,DC=local" | Select -expand Name | Out-File -Encoding utf8 "C:\Servers.txt" -append

PSEXEC will connect to each of the machines in the Desktops.text and run a gpupdate /force, this method isn’t particuarly quick but it gets the job done.

psexec @"C:\Servers.txt" gpupdate /force



  1. hi

    i am trying to run this script on a server 2008 dc and im getting an error on the Get-ADComputer.
    have you perhaps got that error before?

  2. Excellent post. Makes me look forward to Windows Server 2012 that much more.

    Question though – with Method 3 – rather than use psexec, why wouldn’t you use Invoke-Command? Or is this under the assumption that poweshell remoting is not configured?


      January 22, 2015 at 9:21 pm

      Thanks Steve.

      Correct, that is the main reason I chose PsExec in the 3rd method. As you mention though it’s possible with the Invoke-Command in the right environment.

  3. Is there any way to conduct something like this on an ADDC 2008r2 distro? All of my DC’s are 2008r2, although I do have some 2012’s in the domain. The problem is that I have maybe 300+ servers in my domain that are windows, and without the ability to affect a gpupdate on an OU, I will have to manually log in to every server to update the GP I created for the new WSUS.

    Thanks in advance for the help.


      June 2, 2015 at 12:37 pm

      Hi Charlie

      You will not have to manually run gpupdate on those servers, the refresh interval for Member servers is 90-120 minutes and 5 minutes for Domain Controllers. This means that if you apply a new GPO to an OU it can take a maximum of 2 hours for all computer objects within that OU to pickup the new settings/GPO.

      All of the three methods above will work against Server 2008 R2.


  4. Great post. Thanks!

    Just want to point out a typo on the last line of Method 3 – it says psxec instead of psexec

  5. I’m getting the error in Method 3:
    Unrecognized token in source text.
    At line:1 char:8

  6. I’m trying to do this on a server running 2008 R2, but when I right click on any OU in the GPMC, I’m simply not seeing the “Group Policy Update…” option. Any thoughts?

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.