The following attempts to document the order of processing the system and user policies following a system reboot and as part of the user logon:
Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start.
Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded and applied. The list may include GPOs that:
Apply to the location of machines in a Directory.
Apply only when settings have changed.
Depend on configuration of the scope of applicability: local, site, domain, organizational unit, and so on.
No desktop user interface is presented until the above have been processed .
Execution of start-up scripts (hidden and synchronous by default).
A keyboard action to effect start of logon (Ctrl-Alt-Del).
User credentials are validated , user profile is loaded (depends on policy settings).
An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of:
Is the user a Domain Member, thus subject to particular policies?
Loopback enablement, and the state of the loopback policy (Merge or Replace).
Location of the Active Directory itself.
Has the list of GPOs changed? No processing is needed if not changed.
User Policies are applied from Active Directory. Note: There are several types.
Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on Group Policy objects (hidden and executed synchronously). NT4-style logon scripts are then run in a normal window.
The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4 Domain), machine (system) policies are applied at start-up; user policies are applied at logon.