Invoke-command gpupdate /force on all DCs in forest

This topic contains 7 replies, has 4 voices, and was last updated by  Jeff Taylor 2 years, 5 months ago.

  • Author
  • #35073

    Jeff Taylor

    I have to implement a change to a PKI CA that will require gpupdate /force on all DC's in the forest (multi child domains) to receive the registry addition(s) in a timely manner.

    How can I run a PS one liner to invoke-command to accomplish that if I have (so far) this discovery bit of scripting? I'm unclear after the pipe how to accomplish.

    foreach ($domain in ((get-adforest).domains)) { get-addomaincontroller -filter * -server $domain } | invoke-command {gpupdate /force}

    thank you

  • #35085

    Jeff Taylor

    I did get this to work thanks to Month of Lunches CH 15!

    Invoke-Command -ScriptBlock {gpupdate /force} -ComputerName (Get-Content .\alldcs.txt)

    Can someone help me put the two together?

  • #35087

    Yuan Li

    Hi Jeff

    foreach ($domain in ((get-adforest).domains)) {

    Invoke-Command -computername (get-addomaincontroller -filter * -server $domain).hostname -ScriptBlock{gpupdate /force}

  • #35089

    David Jones

    Your almost there

    foreach ($domain in (get-adforest).domains) { get-addomaincontroller -filter * -server $domain | invoke-gpupdate -RandomDelayInMunutes 0}

  • #35149

    Jeff Taylor

    Thanks Yuan...perfect success for my 2008 DC's

    Thanks David...perfect success for my 2012 DC's (typo corrected for -RandomDelayInMinutes)

  • #35150

    Jeff Taylor

    quick followup question.

    I have 45 DCs to run gpupdate against. Does invoke-gpupdate have a throttle limit on the number of processes this will use against my DC's. I want to ensure all of them recieve the gpupdate.

    I seem to recall in Month of Lunches (returned to library) that there was a limit with Invoke-Command so wondered about invoke-gpupdate similarly.

  • #35174


    If you take a look at the -Computer parameter for Invoke-GPUpdate, you'll notice that it only accepts a single computer, while the -ComputerName parameter of Invoke-Command accepts multiple computers. Compare Get-Help -Name Invoke-GPUpdate -Parameter Computer and Get-Help -Name Invoke-Command -Parameter ComputerName. See the square brackets –> []. Those indicate it'll take more than one at a time. Therefore, there's no need for a -ThrottleLimit parameter. In addition, since we're piping computer names to the cmdlet, it's only going to process one computer at a time anyway.

  • #35320

    Jeff Taylor

    tommymaynard, thanks for the reminder on those []

    I didn't know we could do a get-help on get-help! niiiice

You must be logged in to reply to this topic.