After you create or modify a GPO in the domain, the policy’s “wishes” are not immediately dropped on the target machines. In fact, they’re not dropped on the target machines at all; they’re requested by the client computer at various times throughout the day. GPOs are processed at specific times, based on various conditions. You could basically say that GPOs are created from your management machine and plopped on the Domain Controllers for storage. Then those GPOs are simply “pulled” by the client.

It’s likely that you have all sorts of client systems, including Windows 7, Windows 8.1, Windows 10, maybe some Windows XP left behind, and various Windows Servers. So, again, when I say “client ...