Platform SDK: Group Policy

Applying Group Policy

Policy is applied when the computer starts up and when the user logs on. When a user turns on the computer, the system applies computer policy. When a user logs on interactively, the system loads the user's profile, then applies user policy.

Policy can be optionally reapplied on a periodic basis. By default, policy is reapplied every 1.5 hours. To set the interval at which policy will be reapplied, use the Group Policy snap-in. Policy can also be reapplied on demand. To refresh the current policy settings immediately, call the RefreshPolicy function.

When applying policy, the system queries the directory service for a list of GPOs to process. Each GPO is linked to an Active Directory container in which the computer or user belongs. By default, the system processes the GPOs in the following order: local, site, domain, then organizational unit. Therefore, the computer or user receives the policy settings of the last Active Directory container processed.

When processing the GPO, the system checks the access-control list (ACL) associated with the GPO. If an access-control entry (ACE) denies the computer or user access to the GPO, the system does not apply the policy settings specified by the GPO. If the ACE allows access to the GPO, the system applies the policy settings specified by the GPO.

Note that application deployment occurs only during startup or interactive user logon, not on a periodic basis. This prevents undesirable results, such as uninstalling or upgrading an application that is in use. However, registry-based settings and security settings are applied periodically.