Menu
Is free
check in
the main  /  BY / Team Update Policy on the server. How to update group policies on a Windows computer? Secondly, create deleted sessions

Policy update command on the server. How to update group policies on a Windows computer? Secondly, create deleted sessions

The GPUPDATE command is used to update group policies for a user and / or computer.

Format command line:

Gpupdate.

Command Line Settings:

/ Target: (Computer | User) - Updating user policy settings only (user) or computer only (Computer). If not specified, the parameters of both policies are updated.

/ Force. - Apply all policy settings. Unless otherwise indicated, only changed policy parameters apply.

/ Wait: value - waiting time (in seconds) completion of policy processing. Default - waiting 600 seconds. The value "0" - without waiting. The value "-1" - the wait is not limited. In case of exceeding the waiting time, the command prompt window is activated, but the policy processing continues.

/ Logoff. - Exit after updating Group Policy Settings. Required for those client group policy extensions that do not process policies in the background, and process it only when the user is logged in, such as the installation of programs for the user or redirection of folders. This parameter does not affect the extensions that require user output.

/ Boot. - Perform a reboot after applying Group Policy Settings. Required for those group policy client extensions that do not handle the policy in the background, and process it only when starting, such as, for example, the installation of programs for the computer. This parameter does not affect the extensions that require restarting the system.

/ Sync. - The next active application of policies should be performed synchronously. Active policies occur when a computer is rebooted or when the user logs in. You can use this option for a user, computer or for both by setting the / target parameter. At the same time, the parameters / Force and / Wait, if specified, are skipped.

Examples of using:

gPUPDATE /? - Display a command to use the command.

gpupdate. - Updating computer policies and user policies. Only changed policies apply.

gPUPDATE / TARGET: COMPUTER - Policy update only for a computer.

gPUPDATE / FORCE - Update all policies.

gpupdate / Boot. - Update group policies with a computer reboot.

Summary: Microsoft Scripting Guy, ED Wilson shows how to call a group policy update via PowerShell.

Update Group Policy in Domain

Sometimes I make changes to group Policy On the network and I need to apply changes on all computers. And sometimes I need to upgrade the local group policy on my computer.

To upgrade Group Policy Settings, I use utility Gpupdate.. It possesses some parameters. By default, the utility updates the policy as a computer and the user. But this can be controlled using the parameter / target.. For example, if I need to update only a computer policy, I will indicate / target: computer. To update only user policies - / target: user.

PS C: \\\u003e GPUPDATE / TARGET: COMPUTER

Updating Policy ...

Default Gpupdate. Applies only updated group policy settings. The parameter is used to apply all settings. / Force. The following command updates all group policy settings (regardless of whether they have been changed) for a computer and user.

PS C: \\\u003e GPUPDATE / FORCE

Updating Policy ...

Computer Policy Update Has Completed SuccessFully.

User Policy Update Has Completed SuccessFully.

First, we get a list of computers in the domain

The first thing I need to do is get a list of all computers in the domain. For this I use the cmdlet Get-adcomputerincluded in the Active Directory module.

Note: Active Directory module is part of RSAT.

I keep the obtained computers in the $ CN variable.

$ CN \u003d Get-Adcomputer -Filt *

Secondly, create deleted sessions

The next thing I need to do is create deleted sessions with all computers. To do this, I need to provide credentials for connecting to computers, as well as create session yourself through cmdlet NEW-PSSession..

To start, I will use the cmdlet Get-Credentials. And the object returned to them in the $ CRED variable.

$ CRED \u003d Get-Credential Iammred \\ Administrator

$ session \u003d new-pssession -cn $ cn.name -cred $ CRED

It must be remembered that the computers can be turned off in the domain, so errors may return when executing the command. However, despite the errors, Windows PowerShell creates sessions with work computers.

The presence of a large number of errors can inspire some concerns. Because the objects of sessions are stored in the $ sessions variable, I can easily make sure that they are created.

Now let's start the team on all remote machines

To start the team Gpupdate. On all remote machines, I use the cmdlet Invoke-Command.. It uses sessions saved by us in the $ Sessions variable. Alias \u200b\u200bfor Comme Invoke-Command.iCM..

iCM -Session $ Session -ScriptBlock (GPUPDATE / FORCE)

After running the command, the results are displayed in windows consoles PowerShell.

Check Group Policy Update

When a successful update of group policy settings occurs on the workstation, an event with code 1502 is written to the SYSTEM log. I can use the cmdlet Invoke-Command. For this information.

iCM -Session $ Session -Scriptblock (Get-EventLog -Logname System -INSTANCEID 1502 -Newest 1)

The command and its results are shown in the figure below.

Another interesting thing about group politics

Sometimes I have to call technical support and they are asked to update group politics on my local computer. This is not a problem, since I can run Gpupdate. straight from PowerShell. Complexity occurs when they ask me to update the Group Policy 5 times with an interval of 5 minutes. But it is solved with the help of one line of the code.

1..5 | % ("Refreshing GP $ (Get-Date)"; GPUPDATE / FORCE; SLEEP 300)

Ed Wilson, Microsoft Scripting Guy

Original:

· No comments

Updating policy policies Microsoft Windows. The GROUP Policy on the local machine is not very difficult to do with such a tool like GPUPDATE, but updating these policies on remote computers in the domain cannot be done using the Microsoft Management Console Management Console (MMC) or using any available today. Microsoft products. In this article, I will tell you about various tricks, scenarios and free tools that allow you to update the group policy settings on remote computers in the domain.

Introduction

Most administrators are aware of the problem of application policy policies on remote computers. After setting up any important policy, sometimes we would like this policy of the GP group immediately appeared on client computers. But the problem is that by default, the so-called background processing occurs only in the range from 90 to 120 minutes (randomly) - if we want to speed up the update process, then here we are granted yourself. Of course, there is a reason why politicians are simply not updated every five minutes or even in real time. Loading domain controllers and networks in most media will be too big to cope with it. But if the need to quickly use a very important setting for safety for a large number of customers, it would be nice to prepare for such a situation.

What do we really need to provide an opportunity for the administrator, update policy on Computer1, Computer2 and / or Computer3 computers - as well as policies for users A, B and C from a centralized point of the administrator workstation, if the administrator deems it necessary . Look at Figure 1.

Figure 1: Script

We have a wonderful tool called GPUPDATE, which is built into the Microsoft Windows XP operating system and newer operating systems - as well as we have a tool called Secedit for the operating windows systems 2000 - But the GPRESULT command for GPUPDATE and Secedit can be processed only on local computers. Of course we have an already configured installation system as a management server microsoft systems Systems Management Server (SMS), we can use this system to transfer small scripts that will start the necessary command for a group of users or computers.

If your network does not have such a system, then you should try more creative approaches - because Alternative is to go to all required computers Using a Remote Assistance Tool (Remote Assistant), or sent all users email With a request to execute the GPUPDATE command ... Therefore, look for more creative approaches.

Problems

Before you deeper into the details, I want to mention common problemsPeople face when trying to use the methods mentioned in this article.

Problems with firewall:

As with other connections that are initiated on the network, packages that are trying to update the policy settings on remote computers will not be able to overcome the local firewall on remote computers (such as firewall, which is built into the Windows operating system, starting with Windows XP With Service Pack 2 and above), if this firewall is not configured in such a way as to allow such incoming traffic (from the selected subnet subnet, IP or something like that). Embedded in the operating system Windows Firewall Must be configured to resolve incoming traffic that we form the use of the Group's policy object, therefore, as it does not hear it, such a policy is the only one that we cannot use for remote computers with a firewall included.

Policy settings that must be installed for all methods mentioned in this article are as follows:

COMPUTER SETTINGS | Administrative templates | Network | Network Connections | Windows Firewall | Domain Profile | "Windows Firewall: ALLOD REMOTE ADMINISTRATION EXCEPTION".

Other devices that make the role of firewall, between the central computer and remote computers should also comply with the aforementioned settings (see the Help Assistance Test, for the mentioned policy in the gpedit.msc).

Administrator rights:

The user who initiates the process on a remote computer must have a local administrator's rights on it - otherwise, everything will work not as you expect.

After you take care of all this, let's consider the methods themselves.

Writing scenarios

Scenarios are free and widespread among specialists in information technologies On the Internet is in reality "Open Source". Microsoft provided us with several built-in opportunities to expand opportunities operating system and the environment - in this article we will tell about how you can use these features to remotely update the GP Group Policies.

Gpupdate & Secedit.

At first we must mention the Gpupdate and Sec Post tools, without these tools, nothing that listed below would not have been possible. Scripts and tools that are mentioned here, everyone implies that one of these tools is installed on remote client, depending on the version of the operating system. As mentioned above, the Secedit tool is part of the Windows 2000 operating system, and the GPUPDATE tool has been taken from the Windows XP operating system and above, it is even present in the Longhorn operating system, in the form in which it is now. In the following scenarios, I will focus on the GPUPDATE - we can check the version of the operating system before running the GPUPDATE or SECEDIT, but this check can be added later without any special difficulties.

The default gpupdate.exe file is located in the "% Windir% \\ System32" folder, so we do not need to know the absolute path to the ego location on the remote machine. The tool can be called with a set of different keys:

Syntax: Gpupdate.

In our scenarios "DIY" for hTML applications Application (HTA) and Windows Management Instrumentations (WMI) We will focus on starting gpupdate without keys - or with "/ Taget: Computer" keys (to update the computer related to computer) or "/ target: user" (to update policies related to to the user). Other parameters can be turned on, slightly working - but do we really need "/ logoff" or "/ boot"? This means that users can exit if necessary (installation software, Change folders, etc.) or even you can need to restart the computer while the user is running. Is this true what we need? In any case, we can also use a shutdown.exe tool for these purposes - so my opinion it will not be too popular.

Psexec.

The first method of which I want to tell is very easy to use and practically does not require programming skill. Why come up with something that has already been invented, right? The tool called PSEXEC was developed by Mark Russinovich, the former owner of Sysinternals, which was purchased by Microsoft in July 2006. To date, version 1.73 is available, which can be downloaded from the Microsoft TechNet website.

The PSEXEC tool is great when it comes to remote execution, mainly due to the fact that it does not require the installation of agents on a remote computer. You just need to specify the computer name and the command you want to run along with the keys on the command line - and that's it!

A small trick is to put the PSEXEC.EXE file in the "% windir%" directory, because In this case, we do not need to specify the full path to this file when it starts from the command line.

In order to update the group's policies on a remote machine, all we need to do is set the 'ComputerName' in the following command: "PSEXEC \\\\ ComputerName GPUPDATE". The user who works on a remote machine does not even know what happened, but in the background, the GPUPDATE command will update policies for the user and for the computer and apply all lost settings. You might think that the PSEXEC command needs to be launched with the "-i key" to the update for remote users of special policies for users, but testing shows that it is optional.

Scenario FLEX COMMAND.

So, the method mentioned above allows you to update policies for one user or computer, and what about the update of the entire organizational unit (ORGANIZATIONAL UNIT or OU) due to the sharing of PSEXEC and GPUPDATE? For these purposes, I created a demonstration script to show some features that we can use thanks to writing scenarios. The script is called Flex Command and can be downloaded from here. You can easily open a HTA expansion file using text editor Type NotePad and see the code, no hidden magic.

When Flex Command starts, it is connected to the Active Directory AD domain) of the computer on which it is performed. Therefore, it must be performed on a computer that is a member of the domain, otherwise the organizational unit of OU will not be found.

Select OU, the tool should be processed by machines that are "alive" (respond to WMI Requests requests). The last thing you need to do is insert a command line that we want to perform on the local computer, for each object located in the selected organizational unit OU. Text string "(C)" must be left, because It will be replaced by the name of the computer, when running the script.

Figure 2: Flex Command in action

Let's assume that the OU organizational unit called "MyComputers" contains only 3 computers: Computer1, Computer2 and Computer3. The command that we scored, "PSEXEC \\\\ (C) GPUPDATE" is then translated into 3 following commands: "PSEXEC \\\\ Computer1 GPUPDATE", "PSEXEC \\\\ Computer2 GPUPDATE", "PSEXEC \\\\ Computer3 GPUPDATE" - All commands will be sequentially Completed (if computers are "alive") and remote policies will be updated.

The tool can be modified in such a way that the list of computers will come from the file (TXT, CSV, XLS, etc.), databases, a special security group in AD, with manual choice from the list. The way to start the script can also be changed, it is just a demonstration script, the main purpose of which to show the opportunities we have.

The script is distributed free of charge, and you can test, use and change it at your discretion - details.

Windows Management Instrumentation (WMI) Management Toolkit

Well, the PSexec tool is really great, but are there any manual methods with which I can better set up a solution for your environment? Yes, in fact there is! WMI is very powerful and easy enough to use after several hours of study. If you are owned by WMI, and you are all right with permissions on firewall and administrator rights, then you can make almost everything in windows Environment ENVIRONMENT - Even remote off the computer, restart and execute remote commands.

I created another scenario for demonstration objectives called Ou GPUPDATE. This HTA script uses several different techniques - in reality it is a small modification of the Flex Command script. First, it disassembles the structure of the OU organizational unit in AD (top drop-down list), provides users with the ability to select computers from OU, run GPUPDATE with the "/ target: user" or "/ target: computer" parameter or without parameters in general. Only "live" computers (which respond to WMI Requests requests) will be affected by default.

Figure 3: Select that you need to update - User Settings, Computer Settings or Both

This script is distributed free of charge, and you can test, use and change it at your discretion from here.

Remote writing scenarios

In addition to WMI, we have the ability to use the usual remote scripting (VBScript). This can be enabled with the installation of just one value in part of the HKLM computers registry, also the script mechanism must support the remote writing of the "Remote Scripting" scripts, and from that time everything else becomes quite obvious from now on. The procedure consists in copying a script file to a remote computer (this script must use GPUPDATE), and then the VBScript command is sent, which starts the script remotely.

RgPrefresh.

RgPrefresh is a tool developed by Dare Mar-elements. Its tool uses WMI and launches either Secedit or GPUPDATE depending on the operating system on a remote computer, with the keys selected by the user. These keys provide you with the same emptiness as local use This tool.

This tool processes one machine at a time, but with a tool called Flex Command (as a shell), this tool can be used for a whole organizational unit (OU) with just a few mouse presses ... Both RGPrefresh and PSEXEC tools can also be shared with Dsquery utilities , For and other utilities running from the command line, more than one computer at a time.

Figure 4: Parameters for RGPrefresh

This tool can be downloaded for free from this page.

Specops gpupdate.

Special Operations Software, Specops, which is an international software maker, offers Active Directory Management Products based on Group Policy Technologies. The company has released its own solution for remote policies, and what is the most remarkable, this is what it is completely free. Current version of Specops GPUPDATE - 1.0.2.13 (2006-10-25) And the utility itself can be downloaded from here. This tool not only has the functionality that we have developed in the scripts mentioned above, but also adds several control opportunities. Let's look at this wonderful utility ...

Installing Specops Gpupdate.

Installing MSI applications is very simple - everything you need for it is a user and computers Active Directory Users & Computers (ADUC) MMC, as well as Microsoft. Net Framework. Version 2.0.

Figure 5: The installation process is also simple as the installation mSI packages (Click on Next, Next, NEXT)

After installing the MSI file in graphic interface Nothing changes the GUI, and only with the help of "Add / Remove Programs" you can find out that on our car installed Specops. Therefore, we must fulfill additional work for the magic transformation ...

Extension for Active Directory User & Computers

After installing Specops GPUPDATE in the AD Forest forest, you must perform a special command.

"% CommonProgramFiles% \\ SpecopSSoft \\ Specops ADUC EXTENSION \\ SPECOPSADUCMENUEXTENSIONSTALLER.EXE" / add

This is not an update of the scheme, although you must have a corporate administrator rights to run this command. This command is absolutely reversible, just run it again with the key "/ Remove". All that it does is register, the so-called "Display Specifiers" screen specifiers to expand viewing using ADUC.

Then right-click on the OU or computer organizational unit object, and you will see that four new commands appeared: GPUPDATE, RESTART, SHUT DOWN and START. It is possible to make a choice of multiple computers and OU by holding the key and pressing the right mouse button on the necessary objects.

Figure 6: ADUC MMC has expanded

If you, like me, there is a question, and is it possible to apply changes as well for non-controllers DC domain, then the answer, yes! After windows installations Server 2003 Admin Pack Service Pack 1 Administration Tools Pack on windows client XP Professional, .NET Framework 2.0 and Specops GPUPDATE, the control console looks as well as on the DC domain controller, and has the same features.

GPUPDATE Parameters

The first parameter that we have allows us to run the GPUPDATE command remotely on the selected computers. After selecting GPUPDATE, we must confirm the selection, as shown in Figure 7, and put a tick in the Use Force Option field, if we want to use the gain setting.

Figure 7.

After pressing the OK button, a dynamic schedule will appear, see Figure 8, as well as a report on the status of the update.

Figure 8.

Settings Restart and Shutdown

The following two parameters 'RESTART' and 'Shutdown' are very important to control, so they need us right in ADUC. We can run the RESTART or Shutdown command, as well as set the time interval in seconds, which is provided to the user to close everything running applications. Write a script that would do the same thing is not very difficult using WMI or thanks to the use of the shutdown.exe command with the correct keys, but thanks to the Specops GPUPDATE we get this functionality completely free without time and strength.

Figure 9: Dialog box with a reboot message

The Start parameter The last of four parameters is called 'START', and in fact it is the Wake ON LAN or WOL functionality (wake up on the network) built into ADUC. After selecting and confirming this parameter, see Figure 10, the so-called magic packages (Magic Packet) will be sent to the MAC address of client computers, and their download will begin. For WOL operation, the corresponding functionality must be supported. BIOS computers. Specops GPUPDATE interacts with Microsoft DHCP servers in the corporation, to find the information necessary to start this process, so it is possible to wake up DHCP clients and only on a network with Microsoft DHCP installed servers.

Figure 10: Confirm the launch of the remote WOL

By the way, the scripts can also be used for Wol, examples of such code go beyond the scope of this article.

Conclusion

We looked at several ways with which you can apply group policies on remote computers. Which method from the listed is best suited for you depends on the medium. I personally like writing scenarios, but why diligently work on what other people have already created? I have two answers to this question. The first, while writing such scenarios, we are learning, and the second is special conditions or manufacturing under the order. Writing scenarios improves our skills as specialists in information technology, and also allows you to configure ready-made solutions for clearer satisfaction with specific conditions.

Specops developed very good free utilitywhich performs basic policies to update network clients. I recommend you try it!

Source www.windowsecurity.com.

Configuring Windows Update Policy 10 This is setting up the update method in Windows 10. In Windows 10, the update center parameters were transferred from the control panel to the system parameters. In Windows 10, there are no such settings as they were in the control panel and therefore did not have the ability to disable updates or choose the method of their preparation. However, using the Registry Editor and the Local Group Policy Editor, you can disable updates and set the way they are received.

Setting up the update using the Local Group Policy Editor

Launch the local group policy editor by clicking on the keyboard at once two keys Win + R. gpedit.msc. And click OK.

Windows 10 Update Group

Computer Configuration - Administrative Templates - Windows components - Windows Update Center. Press the latest Windows Update Center on the last item and then find the item on the right. Setting automatic update And change its settings.


Configuring Windows 10 Updates Group Policy

To do this, in the window that opens, you need to put the point at the point enabled, and then below set the update settings. Click OK. Then that the settings you make earned open System Settings - Update and Security - Windows Update Center and click Check availability.


After completing the setting windows politician 10, Run the update

After that, the settings you make in the Local Group Policy editor will take effect.

Setting up updates using the registry editor

Run the registry editor by clicking on the keyboard at once two keys Win + R.. The execute window will open in which you enter the command. regedit. And click OK.


Open the registry editor and create four parameter to control there. windows updates 10

In the left part of the opened window of the editor reveal HKEY_LOCAL_MACHINE - Software - Policies - Microsoft - Windows. Mouse over the last Windows and press the right mouse button. In opening context menu Choose Create - section. New section Name WindowsUpdate..
Then hover the cursor on the one that the created section of the WindowsUpdate and again create a section that name AU..
Then Move the cursor over the same time that the AU is used and right-click and in the menu that opens, select Create - DWORD Parameter (32-bit). The new created parameter will appear on the right side of the window, name it Auoptions.. In the same way, putting the cursor to the AU section create three more parameters and name the first Noautoupdate., second ScheduledInstallDay., and third ScheduledInstallTime (optional NoautorebootWithloggedonusers.). Now in these four new parameters you need to change the value.

For the Auoptions parameter

  • 2 - receive a notification before installing and downloading any updates.
  • 3 - automatically receive updates and notifications about their installation.
  • 4 - automatically receive and install updates on a specified schedule.
  • 5 - Allow local administrators to choose the update mode and notifications.

For noautoupdate parameter

  • 0 - Enabled automatic installation updates that will be downloaded and installed depending on the settings made in the Auoptions parameter.
  • 1 - Disable automatic installation of updates.

For ScheduledInstallDay parameter

  • 0 - Installing updates will be performed daily at the value of 4 Auoptions parameters.
  • 1 - Installing updates will be performed every Monday with the value of 4 Auoptions parameters.
  • 2 - Installing updates will be performed every Tuesday at the value of 4 Auoptions parameters.
  • 3 - Installing updates will be performed every Wednesday with the value of 4 Auoptions parameters.
  • 4 - Installing updates will be performed every Thursday with the value of 4 Auoptions parameters.
  • 5 - Installing updates will be produced every Friday with the value of 4 Auoptions parameters.
  • 6 - Installing updates will be performed every Saturday at the value of 4 Auoptions parameters.
  • 7 - Installing updates will be performed every Sunday with the value of 4 Auoptions parameters.

For the ScheduledInstallTime parameter

From 0 to 23 updates will be installed in so much hours depending on the set parameter and the value of 4 of the AuOptions parameter.

For noautorebootwithloggedonusers

  • 0 - Upon completion of the installation of updates, the computer will automatically restart, works when 4 parameters of the auoptions are valid.
  • 1 - Upon completion of the installation of updates, the computer will not automatically restart, it works when 4 Auoptions parameter is valued.