I had a lot of trouble with this too. In my case it turned out to be a combination of things. First, make sure your users are in the correct OU for the policies. Also, check the security filtering to make sure the policies apply to the right groups. Use the group policy results tool in the Group Policy Management Console to make sure the policies are applied in the way you expect.
You said Zentyal was the PDC. Do you have additional domain controllers? If so, make sure replication is working:
samba-tool drs showrepl
I ended up having to set up a cron job to restart the replication service (samba-ad-dc) hourly before it would work reliably.
[Edit]
Also, read the logs on the clients to see if there are any errors.