Read this on Rod Trent's blog courtesy of Bruce Vangrouw: I recently ran into an issue with Windows XP and group policy. I am not sure if you have noticed but after installing Windows XP, group policy based software distribution does not always occur with the first or second reboot. In addition, even though you may not have noticed, other group policies are not applied. I realized this while trying to configure the Windows Firewall group policy settings. In group policy, there are two sets of identical policies for the firewall: Domain Profile and Standard Profile. As the names imply, while connected to the domain, the Domain Profile policies apply and while disconnected the Standard Profile policies apply. The computer determines if it connected to the domain by checking whether its current domain matches the domain name in the “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName” registry setting. This setting is populated the last time the group policies were successfully applied (a good Cable Guy article explains this in detail.) To tie this all together, because of the issue mentioned in the beginning of the article, group policies are not successfully applied until the second or third reboot. It is hit or miss. In our case, we needed all group policy settings to be applied the first time the computer was rebooted after the image was applied. In searching through policies, I ran across the following setting: “Always wait for the network for computer startup and logon. It is located under “Computer Configuration\Administrative Templates\System\Logon”. The explanation of the policy reads, “Determines whether Windows XP waits for the network during computer startup and user logon. By default, Windows XP does not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background once the network becomes available. Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected. If a user with a roaming profile, home directory, or user object logon script logs on to a computer, Windows XP always waits for the network to be initialized before logging the user on. If a user has never logged on to this computer before, Windows XP always waits for the network to be initialized. If you enable this setting, logons are performed in the same way as for Windows 2000 clients, in that Windows XP waits for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously. If you disable or do not configure this setting, Windows does not wait for the network to be fully initialized and users are logged on with cached credentials. Group Policy is applied asynchronously in the background. Note: If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this setting to ensure that Windows waits for the network to be available before applying policy. Note: For servers, the startup and logon processing always behaves as if this policy setting is enable