We recently found that a GPO was created with Security Filtering such that certain policies would be applied that are different from the domain policy. For example, this GPO ensured that Administrators were given rights to 'manage auditing and security logs' where default domain GPO did not. However, we found that on the two machines we wanted these settings applied, they only were applied to one. Running a report showed that the domain policy was the winning policy on one machine, and as you'd expect the new policy won on the machine that actually worked.
When I asked our AD admin why this happened, he said he made an error and "forgot to check where the computer object was 'located' in AD. I just moved it to XYZ, and refreshed the policy on the server - you are good to go"
What does located mean? What could he have changed? Curious.
