Using PsExec and SpecOps to Force Group Policy Updates via ADUC

23 Jul

Group Policy. It’s pretty awesome, you can fix and everything via few little clicks, but, you can also break everything with a few little clicks so care must be taken.

I generally setup test OU’s and stick one or two pcs in there first while I test them, and only once I’m happy do I roll it out to the domain.

Anyway, this isn’t a lesson on GP, you know what it and how powerful it is else you wouldn’t be reading this. So, the latest coolness I’ve been playing with I initially found here.

Now, I had already started using Psexec to run remote command and run gpupdate’s and stuff on remote workstations, this is good for one off situations, but I soon thought that this needed to be a bit more powerful, lots more powerful in fact.

Gpupdates will take place automatically, but this can take time and if you need it to be implemented immediately it’s nice to know there is a way to do this relatively easily.

So, the other option is to use Flex Command which you can download it here (flexcommand.hta (9.93 kb) Next, view the source, copy it, save it as “Flex Command.hta” on your desktop and then double click it to run it.

Now you can run psexec as before, but now you can specify OU’s from the dropdown at the top and it will run the command on all the machines within that OU – bonus!

With all the free time you now have, you can use some to hit the donate button at the top of the screen, you know, the button that nobody clicks on, ever, I’m beginning to think it’s broken!

But wait, there is way more cleverness, this is merely scratching the surface. (PS, I’ve skipped some of the stuff on windowssecurity.com, you may want to read up yourself however). This is where Specops (Special Operations Software) comes in very handy. You can download it here, for free. (There is a pro version for only $99 which I’m yet to try out, but could be very tempted by)

 

Once installed (you need to be an enterprise admin and have ADUC on your machine) the Specops Gpupdate utlility basically updates AUDC with a few super-useful extensions

You will see that you now have:

  • Run Windows Update
  • Start Computer
  • Gpupdate
  • Shut Down Computer
  • Restart Computer
  • Specops Gpupdate…

I think most of these are self-explanatory, but the last new option “Specops Gpupdate…” just opens a window which has the other extra options in, and also allows you to add (or pin) a new command.

All in all, pretty awesome I think you’ll agree.