I use Group Policy Objects to manage the local Administrators groups in various departments/Organizational Unites in my Active Directory domain. I recently encountered a problem in which the policy was not applying to the computers in a single OU. I verified that the settings in the GPO were correct and that “Authenticated Users” had “apply” permission. I removed the entries from “Local Users and Groups” under Computer Configuration\Preferences\Control Panel Settings and recreated them. I changed the Action of the group setting to Replace instead of Update. I tried enforcing the GPO. Unfortunately, none of these steps made any difference. The workstation event logs and “gpresult /r /scope:computer” said that the policy was applying correctly, except that it obviously wasn’t.
The fix: I deleted the entire GPO and created a new one from a template. Something must have been corrupt in the NTFS permissions or some other attribute of the original GPO, because creating a new policy fixed the problem immediately.