Group Policies are applied intermittantly. I checked the log and found out that the clients are binding to a domain controller in another building, even thought there is a domain controller in this building. What determines whcih domain controller users are authenticated from? What determines which domain controller policies are read from? As far as I know, the domain controller in this building is the main one (used to be called primary). These are both 2003 domain controllers, clients are Vista and XP Pro.