Applying Group Policy
Policy is applied when the computer starts and when the user logs on. When a user turns on the computer, the system applies computer policy. When a user logs on interactively, the system loads the user profile, then applies user policy.
This is an overview topic for developers who are writing code that interact with Group Policy. For more information about group policies and how to apply them as an administrator, see Group Policy for Beginners.
Policy can be optionally reapplied on a periodic basis. By default, policy is reapplied every 90 minutes. To set the interval at which policy will be reapplied, use the Group Policy Object Editor. Policy can also be reapplied on demand. To refresh the current policy settings immediately, applications can call the RefreshPolicy function; administrators can call the Gpupdate.exe command-line utility.
When applying policy, the system queries the directory service for a list of GPOs to process. Each GPO is linked to an Active Directory container in which the computer or user belongs. By default, the system processes the GPOs in the following order: local, site, domain, then organizational unit. Therefore, the computer or user receives the policy settings of the last Active Directory container processed.
When processing the GPO, the system checks the access-control list (ACL) associated with the GPO. If an access-control entry (ACE) denies the computer or user access to the GPO, the system does not apply the policy settings specified by the GPO. If the ACE allows access to the GPO, the system applies the policy settings specified by the GPO.
Be aware that application deployment occurs only during system start or interactive user logon, not on a periodic basis. This prevents undesirable results, such as uninstalling or upgrading an application that is in use. However, registry-based policy settings and security policy settings are applied periodically.