Brief Note on Active Directory GPO Delegations
After a recent upgrade to the 2012 AD functional level, I was surprised to find that several important GPO items were no longer being applied properly. After quite a bit of research, I eventually determined that this was because the effected policies were being filtered to only apply to certain security groups, none of which were the Authenticated Users
group. I found a TechNet article (now lost a technet article) that stated weird things were occurring when the Authenticated Users
group was unable to read the GPO. I redelegated Authenticated Users
read access to the GPO but left them off the security filtering list, and suddenly all the the broken GPOs started working again.
TL;DR
Authenticated Users
always needs read delegations to GPOs.