I recently followed a blog post on Clint Boessen's blog titled "AD Delegation - How to set default permissions for new group policy objects". I'm following his instructions for adding a Domain Local group in a single domain multiple DC environment to the default permissions-set that is added to GPOs when they are created. His instructions work flawlessly with the exception of going to preexisting GPOs and selecting "Restore Defaults" to apply the new ACL to the preexisting GPOs. When I do this I notice after having clicked "Detect Now" under status for the GPO I "Restore[d] Defaults" on there is an ACL issue. In the picture below Ive Restored Defaults on the Default Domain Policy. 

For the Default Domain Policy, on the delegation tab I can see the group I added via the defaultSecurityDescriptor for CN=Group-Policy-Container (see below). 

If it helps below are pictures of the GPO's Advanced Security Settings before and after clicking "Restore Defaults". The "Afters" match on both DCs in the environment. 

also below are the sysVol ACLs of the Default Domain Policy from both DCs.

• Edited by Joey Piccola 4 hours 1 minutes ago