View Blog

Mar 2010

So, in a previous installment, we explored GPupdate /force.

One use, as we examined enabled us to move a user or computer account around in AD, and have it’s new location “magically picked up.”

Let’s examine the other use of of GPupdate /force. Let’s take a closer examination of how “GP does it’s thing.” When a user (or computer) get it’s first batch of GPOs, it has to download them.

Now, the good news is that WHAT it downloads is really, really small. Usually 1, 2, 3 or 4k ish. That’s KILOBYTES, like what my VIC-20 was packin’ back in the day.

So, okay. First myth busted: the download “payload” of Group Policy objects isn’t that big (under most circumstances.)

Now, it’s true that the stuff the GPO is DOING can have an impact. But, even then, it’s usually pretty nominal if you’re sticking mostly to GPPrefs and/or Admin Templates (registry settings.)

Okay. So, back to /force versus no /force. ?

So if your user or computer is just sitting there a while, it asks, every so often “Hey.. any updated (or new) GPOs out there for me?” If the answer is YES, it downloads JUST the new or changed GPOs and processes those.

Wow. Neat. So how does it KNOW which ones are NEW or CHANGED? The GPO Version number, of course. This is little internal counter (found on both the user and computer sides.) If either version changes, then blamo! the GPO comes down and is processed.

Okay, okay. Back to /force versus no /force.

When you run GPupdate by itself (no force) you’re “accelerating the hands of time” and forcing the user and computer side to ask “Hey.. any updated (or new) GPOs out there for me?” Again, if YES, those come down and apply.

Then why would you ever NEED /force ?

Honestly, under most circumstances.. you shouldn’t.

A key case when you WOULD need the /force would be, say, if someone with local admin rights did a no-no, like change a value that only the protected SYSTEM should get to. For example, if a local administrator deleted a registry key, which restricted access to the control panel. Now — REGULAR USERS cannot do this. But ADMINS can.

Then running a GPupdate — by itself — wouldn’t fix the problem. Only a GPupdate /force will “re-bring down” the settings — EVEN IF THE VERSION NUMBER HAS NOT CHANGED. Only this will shore up the hole that local admin has created.

That being said… On the other hand, I have seen plenty of times where GPupdate /force is like a kick to the system’s head. There is some magical quality about /force which does sometimes “jumpstart” you out of a problem, and .. whoa.. things seem to “just be all a-ok, ducky” right now.

Has the /force helped you get out of a pickle? Post your story to my blog.

Ready to learn more? Group Policy University.. Live or Online.

Next Live.. the week of Seattle April 19th.
Online.. whenever you need it it.
One line:

Comments (0)

No Comments!