Windows – GPO not applying to OU security group

In order for user group policy to be applied, the computer that the user is logging into must have access to read the group policy object.

By default, i.e., if the GPO is unfiltered, Authenticated Users has both "Apply Group Policy" and "Read" permission and everything just works. If the GPO is filtered to a particular group, however, you must explicitly grant the necessary read permission to the computer(s) in question.

In most cases, you should use the Delegation tab to give Authenticated Users read access.

In the rare event that the content of the group policy object is sensitive (e.g., it contains a password) you might prefer to give read access to the Domain Computers group instead, or perhaps even just those particular computers that need to be able to apply the group policy. Note that this does not provide comprehensive protection against a malicious user obtaining access to the contents of the group policy object. Group policy objects should not contain sensitive information such as passwords.

This behaviour was first introduced in a security update back in 2016, and is described in the Microsoft article Deploying Group Policy Security Update MS16-072 \ KB3163622.