Just a quick note or heads up regarding client exclusion policies.
I got called out to a facility because three laptops stopped working. I got on site and my laptop immediately worked so I knew it wasn't the network or that DHCP got full somehow.
Rebuilding the profiles didn't do anything so when I got on site I saw that those three MAC addresses were excluded probably because they failed to do something. I un-excluded them and removed the default policies. This still didn't work. After an hour or so of banging my head I checked the other controllers to see if any of their clients were excluded and I found the same three macs on another controller for another facility. The only thing I can think of is it was already broken and then the controller blinked and shot those AP's to the wrong controller...and then came back.
If any clients are excluded they are apparently excluded everywhere. Be sure to check all controllers for remnants to get everyone back up online.
So far the only people who get excluded are supposed to be there so I'm on the fence as to whether or not this is a good thing.