Access Denied: Ensuring That GPOs Are Applied When You Move a Computer to a New OU

I installed a new computer, then moved it to another organizational unit (OU) so that the computer receives the correct security settings from Group Policy. However, the settings aren't taking effect. Do I need to install the computer in the correct OU from the beginning? If so, why does Active Directory (AD) let you move a computer later?

You don't have to create computer accounts in the correct OU from the beginning; you can move accounts from OU to OU at any time and expect new Group Policy Objects (GPOs) to take effect. However, a computer checks the path of the OU in which it resides only at boot-up. After that, whenever the computer reapplies Group Policy, it simply checks to see whether the GPOs applied previously have changed. If you move the computer to a new OU, the computer doesn't recognize the move until the next reboot. Therefore, GPOs linked to the computer's new OU won't take effect until you reboot the computer.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.