I installed a new computer, then moved it to another organizational unit (OU) so that the computer receives the correct security settings from Group Policy. However, the settings aren't taking effect. Do I need to install the computer in the correct OU from the beginning? If so, why does Active Directory (AD) let you move a computer later?
You don't have to create computer accounts in the correct OU from the beginning; you can move accounts from OU to OU at any time and expect new Group Policy Objects (GPOs) to take effect. However, a computer checks the path of the OU in which it resides only at boot-up. After that, whenever the computer reapplies Group Policy, it simply checks to see whether the GPOs applied previously have changed. If you move the computer to a new OU, the computer doesn't recognize the move until the next reboot. Therefore, GPOs linked to the computer's new OU won't take effect until you reboot the computer.