Back in May 2015 we started talking about the Microsoft Group Policy security change to prevent a "man in the middle attack" where any Group Policy that you test with security filtering for group membership will no longer operate with the default "Authenticated Users" on the delegation tab. In other words, if you had say a policy where you were testing whether or not you were a High School Teacher before running it, it simply would no longer work.
The solution is to add domain computers on the delegation tab to every policy that you use security filtering for as all policies are now read by the computer first and not the user.
Since 2015, we helped many of you to clean up these issues. However, since the default still is Authenticated Users, any future policy that has been set with security filtering more often than not fails because people forget to add domain computers back into the policy.
Site after site I am cleaning up this issue as I am wandering through doing other things.
We have a very simple script we can run against all your group policies to fix this issue on every policy. Then we have a very simple edit we can do so that anytime you have a new Group Policy, it will default to Domain Computers being properly added so that you can never mess up this security rule again.
If you have not asked us to do this for you, it doesn't take much time and saves a whole lot of headaches over time.
If you'd like us to do this for you, let us know.