From a Microsoft support engineer: "Please make sure that you don’t have any Group Policy “Restricted Groups” settings applied to your computers as they will override the group policy preferences settings. Please check it on your side.
Go to: Computer configuration > Windows Settings > Security Settings > Restricted group
If the issue persists, please let us know how you configure and apply the group policy in detail, such as the Action you choose, Replace or Update? Also, please provide us more information on the issue, such as which user or group can be removed and which ones could not be added?
You can check the following information for the differences on the Action:
Replace: Delete and recreate a local user with the matching name for the local computer. The net result of the Replace action overwrites all existing settings associated with the local user. If the local user does not exist, then the Replace action creates a new local user. Use caution when using the Replace action as the newly created user has a new SID.
Update: Rename a user or modify user settings. This action differs from Replace in that it updates the settings defined within the preference item. All other settings remain as they were previously configured. If the local user does not exist, then the Update action creates a new local user. The Update action does not change the SID of the user.
In addition, on problematic Windows 7 computer, run Command Prompt with administrator privilege, then run “gpresult/v > C:\policy.txt”
Please paste the results here for research.
For more information on how to use this GPP and examples on how to define the settings, please check the EV100373
(Best Practice: How to use Group Policy Preferences to Secure Local Administrator Groups).