If Group Policy settings don’t take effect immediately

The February issue of WindowsITPro has an interesting article about Group Policy annoyances (subscribers only). I think the most common problem is Group Policy settings not taking effect immediately. You change a setting and reboot the machine, but the change doesn’t seem to show immediately.

Profile gravatar of Michael Pietroforte

Michael Pietroforte

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in IT management and system administration.
Profile gravatar of Michael Pietroforte

The cause for this problem could be that Group Policy Objects (GPOs) are processed asynchronously, by default. This means that processing occurs while Windows is still working on presenting the logon screen.

There are some Group Policy settings that need exclusive access to the computer or user environment. The most prominent ones are Software Installation and Folder Redirection. The latter might become important when you work with roaming profiles and start deploying Vista. Check out this post about Windows XP and Vista interoperability of roaming user profiles for more information.

There is a setting that tells Windows to process Group Policy synchronously. You can find it under Computer Configuration\Administrative Templates\System\Logon. You have to enable the policy “Always wait for the network at computer startup and logon“. This way, Group Policy will be processed synchronously. Note that this will increase the time needed to boot-up and logon.

  1. avatar
    Hugh 10 years ago

    I use ‘gpupdate /force’ and it seems to work (except for those changes that require reboot anyway). Great for customer machines where you are not the primary admin so making “extra changes” beyond what you are required to do can be problematical.

    Would be interested if anyone knows if there are any “traps” awaiting me using this command.

  2. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 10 years ago

    You’re right, you can always use gpupdate. I use it often whenever I test Group Policy, and it works reliably. However, I doubt that it will help with the problem I discussed in the post. Sometimes, it is important that policies are applied at the right moment. Folder redirection is one example. If you run gpupdate after you logged on, it is already too late.

  3. avatar
    Civisi 9 years ago

    Instead of just using ‘gpupdate /force’ you should also use ‘gpupdate’ by itself before running it with the /force switch. Some policies are only applied through a normal refresh, while others will require the /force switch to fully take effect.

  4. avatar
    Barry Burns 9 years ago

    There’s also ‘gpupdate /force /boot’. That one’s quite useful when applying changes that require a reboot (like software installation). ‘gpupdate /sync’ can be useful, too.


  5. avatar
    Steve Carneol 9 years ago

    I am finding that if you try running gpupdate/force /boot remotely using psexec or any other remote management tool while a user is not logged on, the computer will not reboot even though it requires one in order for the Group Policy to apply. Adding a shutdown command to the process obviously solves the problem.

  6. avatar
    Chris Iarocci 6 years ago

    I’m currently migrating to 2008R2 and I have folder redirection in place. Updating the GPO and then forcing it to update with gpupdate /force /boot doesn’t work. The machine boots back up and still goes to the old location. I’ve tried it about 10 times on an XP machine (the definition of insanity I hear) with no luck. Anyone have a clue on how to get a folder redirection policy to actually update on XP, Vista, 7 workstations?

  7. avatar
    Shah Murad 6 years ago

    After adding Server 2008 R2 in 2003 Forest and Domain environment, I am noticing that new GPO’s are not working on XP SP3 Pro Clients! Even something as simple as Hide Run Command, My Documents folder redir.
    Any idas?

    Tried the following:

    *Removed PC from domain, re-added
    *Creaeted Test OU, created Test User, USER specific GPO’s not applied
    *Teasted creating GPO’s from both Server 2008 R2 and then Server 2003 R2, still no luck
    *DCdiag had no errors (except for ROCD Prep was not run..)
    *GPResult.exe does not even show the new GPO as applied or not applied.
    Google search revealed that many other IT Admins encountered same errors, GPOs are not working.
    Any insights on this?
    Thanks guys~

  8. avatar
    Shah Murad 6 years ago

    Noticed the posting by Chris (iteam #6).. I too started with Folder Redirection and then after few tests, I found out that No New GPO’s are beein applied.
    What a horrible experience with Server 2008 R2!!

  9. avatar
    Michaël Van den Steen 2 years ago

    Exactly what I needed, thanks a lot!

  10. avatar
    Manong P. 8 months ago

    Hi, I am new to GP and I was experimenting with a policy that I applied on my test lab. I made a policy to automatically map a network drive but it doesn’t work when “Link Enabled” is applied. When I tried to “Enforce” the policy in the OU, the policy worked. What seems to be the problem? Do I need to always “ENFORCE” a policy to make it work? I’ve noticed that the Default Domain Policy works even without Enforcing it.


Leave a reply

Your email address will not be published. Required fields are marked *



Please ask IT administration questions in the forum. Any other messages are welcome.

© 4sysops 2006 - 2016

Log in with your credentials


Forgot your details?

Create Account