I installed a new computer, then moved it to another organizational unit (OU) so that the computer receives the correct security settings from Group Policy. However, the settings aren't taking effect. Do I need to install the computer in the correct OU from the beginning? If so, why does Active Directory (AD) let you move a computer later?
You don't have to create computer accounts in the correct OU from the beginning; you can move accounts from OU to OU at any time and expect new Group Policy Objects (GPOs) to take effect. However, a computer checks the path of the OU in which it resides only at boot-up. After that, whenever the computer reapplies Group Policy, it simply checks to see whether the GPOs applied previously have changed. If you move the computer to a new OU, the computer doesn't recognize the move until the next reboot. Therefore, GPOs linked to the computer's new OU won't take effect until you reboot the computer.
End of Article
