After a recent upgrade to the 2012 AD functional level, I was surprised to find that several important GPO items were no longer being applied properly. After quite a bit of research, I eventually determined that this was because the effected policies were being filtered to only apply to certain security groups, none of which were the
Authenticated Users group. I found a TechNet article (now lost a technet article) that stated weird things were occurring when the
Authenticated Users group was unable to read the GPO. I redelegated
Authenticated Users read access to the GPO but left them off the security filtering list, and suddenly all the the broken GPOs started working again.
Authenticated Users always needs read delegations to GPOs.