How to programatically update group policy? i.e. gpupdate /force

Question

I have several local accounts which are created at install time with C#. There is a group policy that in turn grants certain permissions to these new accounts.

The problem I am trying to solve is how do I go about getting the group policy pushed to the new accounts. Without the group policy applied the application will not function.

Opening a cmd prompt and running gpupdate /force fixes it, but I need a more seamless transition between install time and run time.

What do you mean with "more seamless transition between install time and run time."? Do you want to hide the cmd-Window? — Daniel Abou Chleih, Aug 12 '13 at 19:36
I'd rather perform the action without the use of a command window. — nolan, Aug 12 '13 at 19:39
Related post - [C# SCCM - Client Action](https://stackoverflow.com/q/48808129/465053) — RBT, Jan 30 '21 at 04:50

Daniel Abou Chleih · Accepted Answer · 2013-08-12T20:15:37.093

6

That should do the trick:

    private void UpdateGroupPolicy()
    {
        FileInfo execFile = new FileInfo("gpupdate.exe");
        Process proc = new Process();
        proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
        proc.StartInfo.FileName = execFile.Name;
        proc.StartInfo.Arguments = "/force";
        proc.Start();
        //Wait for GPUpdate to finish
        while (!proc.HasExited)
        {
            Application.DoEvents();
            Thread.Sleep(100);
        }
        MessageBox.Show("Update procedure has finished");
    }

edited Aug 12 '13 at 20:15

answered Aug 12 '13 at 19:44

Daniel Abou Chleih

2,440
2
19
31

The problem I run into with this is that after the policy refreshes it asks me if I want to log off. – nolan Aug 12 '13 at 19:48
1

That's normal behaviour, because some GPOS(such as Folder Redirection/user Software Installation) can't be applied in background and therefore need a relog. – Daniel Abou Chleih Aug 12 '13 at 19:54
2

Try adding "/wait:0" to the StartInfo.Arguments after the "/force" (http://hardforum.com/showthread.php?t=1313045) – Teknikaali Aug 12 '13 at 19:55
Any idea how I can tell when it completes? – nolan Aug 12 '13 at 20:03
1

You could add proc.WaitForExit(); and MessageBox.Show("Update procedure has finished"); at the end of the method. But the program will freeze until the gpupdate has finished. – Daniel Abou Chleih Aug 12 '13 at 20:11
1

See my updated solution, program wont hang anymore. BTW: Did Teknikaali's solution work? – Daniel Abou Chleih Aug 12 '13 at 20:16
1

You can also register to the Event that is launched after something has been written to the event log with EventLog.EntryWritten Event – Teknikaali Aug 12 '13 at 20:16
/wait:0 does avoid the prompt for restart. I'm noticing some odd behavior tho, if I try to start the windows service immediately after gpupdate completes I get an error. However if I wait a few seconds everything is fine. I'm looking into what entries are in the event log now to see if that route helps. – nolan Aug 12 '13 at 20:48
Attached to the event log and found the event noting the GPO had been applied to the computer. It's ugly, but it works. (FWIW: The event entry was Source=="Microsoft-Windows-GroupPolicy && InstanceId == 1502) – nolan Aug 12 '13 at 21:28
I had to add `proc.StartInfo.CreateNoWindow = true;` for gpupdate to not display a window. – Nathan Goings May 31 '22 at 15:43

score 1 · Answer 2 · edited Dec 11 '13 at 16:42

You can use this code even for remote machine

for local machine don't use username,password and Impersonation

private static void UpdateGPO(string machinename)
        {
           try
            {
                ConnectionOptions connectionOptions = new ConnectionOptions();

                connectionOptions.Username = @"Domain\Administrator";
                connectionOptions.Password = "password";
                connectionOptions.Impersonation = ImpersonationLevel.Impersonate;

                ManagementScope scope = new ManagementScope("\\\\" + machinename + "\\root\\CIMV2", connectionOptions);

                scope.Connect();

                ManagementClass clas = new ManagementClass(scope, new ManagementPath("Win32_Process"), new ObjectGetOptions());

                ManagementBaseObject inparams = clas.GetMethodParameters("Create");

                inparams["CommandLine"] = "GPUpdate /force";

                ManagementBaseObject outparam = clas.InvokeMethod("Create", inparams, null);
            }
            catch (Exception ex)
            {

            }
        }

score 1 · Answer 3 · answered Aug 21 '13 at 19:43

I guess you could try to invoke gpupdate /force using WMI. not much of coding but it's rather manual - you have to execute it against every machine when you need to.

Wmic /node:.... Process call create "gpupdate /force"

You might want to add local credentials if you are not a domain poweruser.

Solution seems easy but i could have misunderstood your question - if so update me please.

Best regards,

Alex

How to programatically update group policy? i.e. gpupdate /force

3 Answers3