How could a server keep showing up in a Security Filter in my Group Policy Manager?
I've removed the servername$ manually and I've gone as far as to set the Deny check mark on Apply group policy under the Delegation tab > Advanced, but it keeps changing back to Allow, or readding it if I've removed it.
100% sure no one else is adding this back in manually.
Personally, I would audit this policy object. In the same advanced security editor, click advanced then auditing and add an entry for everyone success for write all properties and modify permissions.
Ensure the DC is set to audit DS access events. You can use auditpol.exe or group policies to set/do granular audit configuration. I wont go into detail as I dont know whether you are enforcing a paricular audit policy through legacy group policies or the new "advanced audit policy configuration" group policy option.
GPMC details tab for the GPO shows the GUID. You can then view replication metadata while on DC to see when ntsecuritydescriptor was changed and on which dc through the originating dsa column and time columns.
replace dc=domain,dc=com as applicable.
Then go view the audit event on that dc at the time, assuming security log hasnt wrapped to see who/what did it.