When NLA starts to detect the network location, the machine will contact a domain controller via port 389. If this detection is successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.
If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public, likely defaulting to Public
So I'd check the domain controller and problem client have the static address of DC listed for DNS and no others such as router or public DNS
--please don't forget to close up the thread here by marking answer if the reply is helpful--