Forcing a Group Policy Object Refresh

Previous page
Table of content
Next page

Forcing a Group Policy Object Refresh

In some situations, you might want change a GPO and apply it immediately to a group of users and machines rather than waiting for background refresh to kick in and request the latest updates. Group Policy does not have a "push" feature because, as you learned in Chapter 3, the client systems are responsible for requesting and then downloading new updates from Active Directory. If you want a client to refresh Group Policy right away, you ordinarily need to trot out to a client computer and run GPUpdate (Windows XP or Windows Server 2003) or Secedit /refreshpolicy (Windows 2000). Using remote scripting, you can instruct a member computer to forcefully perform both user and computer background refresh of GPOs using GPUpdate or SECEDIT without visiting the machine.

Remote scripting uses two scripts. One script runs on a management workstation and acts to send a second script out to a target machine for execution. You'll need WSH 5.6 or later on both the remote machine and the machine where you run the script.

Tip 

Windows XP and Server 2003 come with WSH 5.6. For Windows 2000, download WSH 5.6 from www.microsoft.com/scripting .

Note 

Mark Russinovich and Bryce Cogswell have a tool on their www.sysinternals.com website called Psexec that can also execute a command on a remote machine. This utility exposes your password in clear text on the wire, though, whereas remote scripting uses NTLMv2 authentication.

Enabling Remote Scripting

Remote scripting is disabled by default. Enabling it involves performing two operations at both the management workstation where you launch the script and at each target machine where you want the remote script to execute. The best news is that this procedure is fairly safe because only users with administrator rights are allowed to execute scripts remotely.

You need to tell the script engine that it can use remote scripting. Do this by running the following command: 

 wscript -regserver

You also need to make the following Registry entry: 

 Key: HKLM  Software  Microsoft  Windows Script Host  Settings Value: Remote Data: 1 (Reg_SZ)

The Reg_SZ in the last line is not a typo. The value really is Reg_SZ , not Reg_DWORD .

If the thought of visiting the consoles of thousands of machines to do these two chores doesn't appeal to you, you can automate the process. You can include the wscript -regserver command in a logon script. Registration does not require admin permissions.

You can distribute the Registry update in the same logon script, or you can use the REG command to make the change from a central location. The syntax is as follows : 

 reg add "\<computer_name>\HKLM\Software\Microsoft\Windows Script  image from book  Host\Settings" /v Remote /t REG_SZ /d 1

Scripting the Forced Background Refresh

To test to see if you can forcefully refresh a client, either create a new GPO or put a new setting in an existing GPO. Then build two scripts, one to run at a remote desktop and one that sends the script to the remote desktop. The script that runs on the remote desktop needs to run only GPUpdateor SECEDIT , depending on the operating system. You can use WMI to target the script delivery, but since the machine will ignore a command that it doesn't support, you can put both versions into the same script. 

 'script name: refresh_group_policies.vbs Set shell = CreateObject("WScript.Shell") cmdline = "gpupdate /force" shell.Run(cmdline) cmdline = "secedit /refreshpolicy /machine_policy /enforce" shell.Run(cmdline) cmdline = "secedit /refreshpolicy /user_policy /enforce" shell.Run(cmdline)

Save this script to a folder on your management workstation. In the example, I'll use a folder called C:\RemoteScripts.

The next script is a bit more complicated. It first creates an instance of the WSHController object, the object that manages remote scripting. The script then uses the CreateScript method of WSHController to package the client script and executes the script at the remote client using the Execute method. The script then checks the status of the remote script every 100 ticks until the script finishes running. In the sample listing, the target machine is a desktop named XPProl. 

 'script name: force_gp_refresh.vbs Set controllerobj = CreateObject("WSHController") Set processobj = controllerobj.createScript(c:\remotescripts" &_     "\refresh_group_policies.vbs" , "\xpprol") processobj.Execute Do While processobj.Status <> 2     WScript.Sleep 100 Loop WScript.Echo "The remote script process has finished."

You can verify that the script ran by checking GPResult on the target machine to verify it downloaded the new settings in the test GPO.


Previous page
Table of content
Next page
Group Policy, Profiles, and IntelliMirror for Windows 2003, Windows XP, and Windows 2000
Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)
ISBN: 0782144470
EAN: 2147483647
Year: 2005
Pages: 110
Authors: Jeremy Moskowitz
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
MySQL Cookbook
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy