This week was the week of patches. As it happens frequently there was also a buggy patch from Microsoft. It was KB3159398 https://support.microsoft.com/en-us/kb/3159398 which caused group policies to stop working.
As later explained by Microsoft in it's bulletin as a known issue, this bulletin changes the way policies targeted for user are read.
"Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context."
It would be nice to warn about this in advance ...
But if you have installed the patch and have problems, there is no reason to uninstall the patch.
The solution (also described in KB) is to add Read permissions for "Domain Computers" group in affected group policy objects and affected GPOs are the ones which have secureity filtrering applied, the ones where default group (Authenticated Users) has been removed and replaced with some other group.
Here is a script to automate adding read permissions https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/