A: Windows security policy settings are regularly re-applied to a Windows machine -- even if the Group Policy Object (GPO) settings haven't been changed. Indeed, security policy settings are an exception to the "Don't process GPO settings if the GPO hasn't changed" rule. By default, security policy settings defined in the \Computer Configuration\Windows Settings\Security Settings GPO container are processed every 16 hours, even if the GPO hasn't changed. This repetitive processing ensures that if a user makes a change that's against the security policy settings, this change is automatically undone.

You can modify the background refresh interval by editing the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval.

The MaxNoGPOListChangesInterval registry value is stored as a hexadecimal number (i.e., number starting with 0x) that represents the number of minutes between security policy refreshes. By default, it's value is set to 0x3c0, which is 960 minutes, or 16 hours. By the way, a good tool that's available on every Windows platform to help you convert decimal to hexadecimal numbers is the Windows Calculator. You need to switch the calculator from Standard to Programmer view, which you can do from the View menu. In Programmer view, you can toggle back and forth between hexadecimal and decimal values by using the Hex and Dec buttons on the left.

When you set MaxNoGPOListChangesInterval to, for example, 0x1C20, Windows waits 7,200 minutes, or 5 days, to refresh the security policy settings when there have been no other GPO changes. If a Windows computer is switched off for longer than the prescribed interval, the security GPO is applied the next time that the computer is restarted.