The client refreshes its rule information on logon, meaning, each time someone logs on to a computer, the computer first requests the applicable ruleset from the server. Here is the chain of events that occur on logon:
- Someone logs on to a computer. - The computer requests the rules that apply on itself from the server. - The computer receives these rules from the server. - The computer calculates whether someone is allowed to log on. - When allowed, the computer allows logon and sends logon info back to the server. - When disallowed, the computer denies logon and sends deny information back to the server.
There are a couple of things important about this setup:
1. The server only calculates which ruleset applies to a computer and sends back these rules on request. It does not calculate whether or not someone is allowed to log on. These calculations are done by the client itself upon logon.
2. Because the server never actively sends information to connected clients, rule changes are not implemented to current logons. They are only implemented to new logons, because each client will not refresh its ruleset until a logon event occurs.