After you create or modify a GPO in the domain, the policy’s “wishes” are not immediately dropped on the target machines. In fact, they’re not dropped on the target machines at all; they’re requested by the client computer at various times throughout the day. GPOs are processed at specific times, based on various conditions. You could basically say that GPOs are created from your management machine and plopped on the Domain Controllers for storage. Then those GPOs are simply “pulled” by the client.
It’s likely that you have all sorts of client systems, including Windows 7, Windows 8.1, Windows 10, maybe some Windows XP left behind, and various Windows Servers. So, again, when I say “client system” I mean “the client that receives Group Policy”—even if it’s a server operating system. Each operating system that receives Group Policy instructions processes Group Policy at different times in different ways. With different operating systems requesting different things at different times, the expected behaviors can get confusing quickly.
Additionally, other factors determine when and how a GPO applies. When users dial in over slow links, things can be—and usually are—different. And you can instruct the Group Policy engine (on a specific computer or all computers) to forgo its out-of-the-box processing behaviors for a customized (and often more secure) way to process.
Often, people throw up their hands when the Group Policy engine ...