As an administrator, you have the ability also to force a GPO onto a client machine on which you may be working. The GPUpdate.exe command allows you to run a GPO on a client machine. The GPUpdate command will run on all Windows client machines from Windows Vista to Windows Server 2022. Table 8.2 shows some of the GPUpdate switches you can use.
TABLE 8.2 GPUpdate.exe switches
Switch | Description |
/target:{Computer | User} | Updates only the User or Computer policy settings for the computer or user specified. |
/force | Forces the GPO to reapply all policy settings. By default, only policy settings that have changed are applied. |
/wait:<VALUE> | Determines the number of seconds that the system will wait after a policy is processed before returning to the command prompt. |
/logoff | The domain user account will automatically log off the computer after the Group Policy settings are updated. |
/boot | The computer will automatically restart after the Group Policy settings are applied. |
/sync | This switch forces the next available foreground policy application to be done synchronously. Foreground policies are applied when the computer boots up and the user logs in. |
/? | Displays help at the command prompt. |
Managing Group Policy
Now that you have implemented GPOs and applied them to sites, domains, and OUs within Active Directory, it’s time to look at some ways to manage them. In the following sections, you’ll look at how multiple GPOs can interact with one another and ways that you can provide security for GPO management. Using these features is an important part of working with Active Directory, and if you properly plan Group Policy, you can greatly reduce the time the help desk spends troubleshooting common problems.
Managing GPOs
One of the benefits of GPOs is that they’re modular and can apply to many different objects and levels within Active Directory. This can also be one of the drawbacks of GPOs if they’re not managed properly. A common administrative function related to using GPOs is finding all of the Active Directory links for each of these objects. You can do this when you are viewing the Linked Group Policy Objects tab of the site, domain, or OU in the GPMC (shown in Figure 8.3).
FIGURE 8.3 Viewing GPO links to an Active Directory OU

In addition to the common action of delegating permissions on OUs, you can set permissions regarding the modification of GPOs. The best way to accomplish this is to add users to the Group Policy Creator/Owners built- in security group. The members of this group are able to modify security policy.
Windows Management Instrumentation
Windows Management Instrumentation (WMI) scripts are used to gather information or to help GPOs deploy better. The best way to explain this is to give an example. Let’s say you wanted to deploy Microsoft Office 2016 to everyone in the company. You would first set up a GPO to deploy the Office package (explained later in the section “Deploying Software Through a GPO”).
You can then place a WMI script on the GPO stating that only computers with 10 GB of hard disk space actually deploy Office. Now if a computer has 10 GB of free space, the Office GPO would get installed. If the computer does not have the 10 GB of hard disk space, the GPO will not deploy. You can use WMI scripts to check for computer information such as MAC addresses. WMI is a powerful tool because if you know how to write scripts, the possibilities are endless. The following script is a sample of a WMI script that is checking for at least 10 GB of free space on the C: partition/volume:
Select * from Win32_LogicalDisk where FreeSpace > 10737418240 AND Caption = “C:”
Security Filtering of a Group Policy
Another method of securing access to GPOs is to set permissions on the GPOs themselves. You can do this by opening the GPMC, selecting the GPO, and clicking the Advanced button in the Delegation tab. The Unlinked Test GPO Security Settings dialog box appears (see Figure 8.4).
FIGURE 8.4 A GPO’s Security Settings dialog box

The following permissions options are available:
■ Full Control
■ Read
■ Write
■ Create All Child Objects
■ Delete All Child Objects
■ Apply Group Policy
You might have to scroll the Permissions window to see the Apply Group Policy item. Of these, the Apply Group Policy setting is particularly important because you use it to filter the scope of the GPO. Filtering is the process by which selected security groups are included or excluded from the effects of the GPOs. To specify that the settings should apply to a GPO, you should select the Allow check box for both the Apply Group Policy setting and the Read setting. These settings will be applied only if the security group is also contained within a site, domain, or OU to which the GPO is linked. To disable GPO access for a group, choose Deny for both of these settings. Finally, if you do not want to specify either Allow or Deny, leave both boxes blank. This is effectively the same as having no setting.
In Exercise 8.3, you will filter Group Policy using security groups. To complete the steps in this exercise, you must have completed Exercises 8.1 and 8.2.