After applying an OS patch to the AD servers (GPO servers), Microsoft has changed how GPO reading occurs.
This causes GPOs to not apply correctly.
There is a detailed breakdown of the reasons, and effects of this update here:
The update has changed the context that is used to read gpos from user to computer (because an exploit was discovered that can be countered by Kerberos which is required for computer accounts).
You might find that you can add “domain computers” rather than authenticated users to your hosting ou (for each domain, if you have more than one). This is a smaller permission to add, and doesn’t include any user objects.
There has also been a script released to identify any gpos affected by this (the technet article above also goes into detail about options to fix this).