If using a minimum permissions service account ensure the service account has the below access outlined in the Minimum Permissions guide:
The Watcher Service requires that the service account has the “Replicating directory changes” permission on the Default Naming Context (DC=domain, DC=com) and the Configuration Context (CN=Configuration, DC=domain, DC=com) for this object and all descendents.
If permissions have been confirmed, go to the properties of the GPO and check to see if there are any automatic selections made on the Remediation tab. For example, the GPO could be set to "Incorporate Live" so the watcher service will see the non compliance and then automatically remediate this with Incorporate Live.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center