Configuring Group Policy Refresh Interval

Many Group Policy administrators may be tempted to use the graphical Group Policy Management Console (GPMC) to manage which group policy objects (GPOs) are linked to which Active Directory sites, domains, and organizational units (SDOU), governing scope of management, and furthermore prone to use the Group Policy Management Editor (GPME) to manipulate the settings within said group policy objects.

A useful alternative is to use the Group Policy module of Windows PowerShell. Consider the following examples of how to configure a particular Group Policy setting, the “Group Policy Refresh Interval for Computers” in the Computer Configuration half of a GPO.

First, it’s useful to make sure the GroupPolicy module is loaded into PowerShell. You must first have the module available to be loaded on your computer. On domain controllers this is typically a non-issue, however on management workstations, the Remote Server Administration Tools (RSAT) components related to Group Policy Management should be properly installed before proceeding with any such scripts or interactive use of the following PowerShell commands.

if( @(Get-Module GroupPolicy).count -eq 0 ){ Import-Module GroupPolicy }
function List-GPO {Get-GPO -All | Select displayName,description }
function Config-RefreshInterval( 
    $gpo = "IT Policy for Workstations" ){
    Get-GPRegistryValue $gpo -Key   HKLMSoftwarePoliciesMicrosoftWindowsSystem
}
KeyPath : SoftwarePoliciesMicrosoftWindowsSystem
FullKeyPath : HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystem
Hive : LocalMachine
PolicyState : Set
Value : 45
Type : DWord
ValueName : GroupPolicyRefreshTime
HasValue : True
KeyPath : SoftwarePoliciesMicrosoftWindowsSystem
FullKeyPath : HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystem
Hive : LocalMachine
PolicyState : Set
Value : 15
Type : DWord
ValueName : GroupPolicyRefreshTimeOffset
HasValue : True
function Config-RefreshInterval(
$interval = 90,
$offset = 30,
$gpo = "IT Policy for Workstations"
){
Set-GPRegistryValue $gpo -Key HKLMSoftwarePoliciesMicrosoftWindowsSystem `
-ValueName GroupPolicyRefreshTime -Value $interval -Type DWord
Set-GPRegistryValue $gpo -Key HKLMSoftwarePoliciesMicrosoftWindowsSystem `
-ValueName GroupPolicyRefreshTimeOffset -Value $offset -Type DWord
}

While functional, this version of the Config-RefreshInterval function will output an object with GPO metadata properties each time it calls Set-GPRegistryValue. The script could easily be rewritten to be more intelligent about processing these objects and only displaying errors upon issues. One factor would be catching permission denied errors when a non-administrative user attempts to change such policy settings. Another improvement would be consuming this output rather than emitting it. Below is a rendering of some of the kinds of properties that these Microsoft.GroupPolicy.Gpo objects have.

DisplayName : IT Policy for Workstations
 DomainName : wernerconsulting.com
 Owner : WETRACONDomain Admins
 Id : 55b219f1-e561-4fb5-a8ff-7b79b86e028
 GpoStatus : AllSettingsEnabled
Description : 
CreationTime : 9/28/2011 8:54:40 AM
 ModificationTime : 9/29/2011 9:41:00 AM
 UserVersion : AD Version: 0, SysVol Version: 0
 ComputerVersion : AD Version: 6, SysVol Version: 6
 WmiFilter :

Note that the ModificationTime and ComputerVersion properties should be updated for each call to Set-GPRegistryValue.

Both the Config-RefreshInterval and Check-RefreshInterval could easily be modified to work with the “Group Policy Refresh Interval for Users” rather than the “Group Policy Refresh Interval for Computers” by replacing the reference to HKLM with HKCU. Or better yet, we could add another parameter and associated logic to allow configuring either or both the Computer Configuration and/or User Configuration. The names of the functions are non-optimal, and could instead be called something like Get-GPRefreshInterval and Set-GPRefreshInterval. Even without such enhancements and refinements, hopefully these serve as an example that retrieving and configuring settings with a group policy object using Windows PowerShell is a fairly straightforward endeavor.

Best wishes in all your Group Policy adventures!