This is really stumping me. I have a Forest level Server 2008R2 domain, and a Windows 7 SP1 Enterprise x64 client. I have a chain of rather complex GPOs that apply at the domain, OU, subOU etc level. The GPO modeler makes it look like the "right" thing should happen.
When I log in to a standard user account on the client computer and test the GPO settings by opening a command window and doing gpupdate /force, the "right" thing happens and the GPOs apply like I expect.
If I then wait 90 minutes for the gpo update to occur automatically, *different* settings seem to apply.
Specifically I've set a computer policy to hide "switch user". This works after a gpupdate /force, and the ctrl-alt-del screen doesn't show "Switch User". If I come back later after presumably the group policy auto refresh, the "switch user" comes back on the ctrl-alt-del screen. Every time I manually update the policy, that entry comes into force.
Why would the auto refresh of group policy not do *the same thing* as running gpupdate /force? It seems like they *should* do the same thing.