You want your provioning machine to be a direct clone of your parent images, with only the app volumes agent running. You should have your provisioning machine in its own ou different then the clones, and you should use local accounts to prevent things like this from happening. If you don't and create a generic provisioning machine, apps the require the sid of the machine to be consistent won't work.
Also, change the name of the provisioning machine after cloning, this way it won't interfere with other machines available.
And as sjesse said, add it to a different OU preferably without policies applied!! These might be captured within your appstacks.