Let's say that you, by simple mistake, create a rule that denies logon to everyone on all computers. The result of this is:
1. People who are already logged on at the moment you create this rule are unaffected. This is because the server does not distribute this rule actively, it only distributes it on client request. And the client only requests the new rule upon logon.
2. Everyone who tries to logon after you created the rule is denied logon. This is because the client will import the new rule as soon as someone logs on.
Let's say that this is not what you intended, and so you delete the rule from your server. The result of this is:
1. People who are already logged on at the moment you delete this rule are still unaffected. The server does not remove this rule actively from each client, it simply stops distributing it to each client upon logon.
2. Everyone who tries to logon after you deleted the rule is allowed logon. This is because the client will no longer import the deleted rule whenever someone logs on.
This means that a rule, once made, will not permeate through your network, or, in other words, that such a rule will NOT keep bothering you, it means that you do NOT have to reboot computers to get rid of the rule. If you create a rule, next logons will be affected. If you remove that rule, next logons will stop being affected.
P.S. The client receives its current ruleset each time someone logs on, unless it cannot connect to the server, in which case it applies the ruleset it received before, thus preventing end users who are not allowed to log on from disconnecting a computer from the network and logging on with cached credentials.