I have automatic updates configured in our default domain policy and i'd like to exclude our production servers from it. I set up a security group and added all the computer accounts for the servers I want excluded. Then I added that security group to the group policy and checked deny apply policy. When I doa gpupdate and gpresult it still shows that it's applying the default domain policy. on the other hand, if I add just a single machine account to the ACL of the default domain policy and check the deny apply group policy it works as expected. when I run gpresult it shows that it's been blocked by the ACL.
Why won't this work with a security group containing the machine accounts?