In some rare instances when Group Policy is being filtered via group memberships the policies fail to apply.
If the environment is also setup to allow SSO from QAS enabled Linux and Unix machines to other machines then a keberos ticket may get forwarded to the next machine. If a ticket has been forwarded and then group memberships for the joined machine have been updated to allow new group policies they may not apply even after Active Directory (AD) propagation.
This is due to the ticket that has been forwarded containing the old memberships and not the new memberships.
Destroy the ticket so the machine can obtain a new updated ticket from AD.