As it turn out, if you never reboot the computer then it never will. That is uberLame.
This is a little tidbit that a TON of group policy documentation needs to spell out. Or at least link to a good document. If you filter machine policies by group membership then you really have to reboot all the time in order to make it work. That's fine for desktop computers, but it's not what we want for servers. There is a lot of wasted internet out there where various clueless people are trying to figure this out. Microsoft should just come out and say it and then link that document to every document they have about things that use group memberships.
Here is a not-so-elegant workaround.