Hi,
this issue has happened to me as well, the problem disappeared after the domain controllers were restarted due to maintenance. Or at least you can try to restart DFS and DFSR services as the issue relates to GPO ACLs not replicating to other domain controllers.
Another reason of ACLs not in sync can be a bug where Domain Admins ACEs are duplicated on GPOs. If the GPOs were created earlier before this was fixed by Microsoft, their duplicate ACEs are unchanged.
In case you see duplicite ACE "Domain Admins":(OI)(CI)(F)" in your GPO using icacls command, you can fix it be removing ACE and granting it again:
icacls "{GPO UID}" /remove:g "<localdomain>\Domain Admins"
icacls "{GPO UID}" /grant "<localdomain>\Domain Admins":(OI)(CI)(F)
More information on this: https://social.technet.microsoft.com/Forums/ie/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016