Could you go a little deeper into the ad ou issue for someone not to tech with ad ie manager speak, many thanks tho for the reply

Yeah physical movement, I heard it can cause big issues in AD but was not sure really what - or just how risky these issues actually are...

no physical moving an computer from one location to another would not be any problem, think about mobile computers they do exactly the same. So as long they can resolve a DC and DNS it is alright

Does it not mess up AD in terms of administration of OU's etc, and I think I read somehwere about departmental logon scripts... you'll still get the old OU policies and login scripts unless you move the object in AD - could that cause any major problems?

If you have setup rights based on OU access then it will get the configuration from the OU it is in, so if it needs to go to another location which needs settings from another OU you need to move the object to the other OU yes that is correct.

Is that not typical then, that you set rights via an OU?

I always set rights through security groups and user accounts not computer objects. Only thing for OU's are GPO's but than when I move a pc to another location and it needs the othe GPO I would also move the computer object to the other OU.

Is there any easy way in AD you could identify PC's that have moved from one OU to another? Upping points? And then verify whether it has been moved in AD, or if its still in the old OU and still picking up the old GPO's applied to its old OU, or whether its been moved an is getting its new GPO to reflect its new OU it lives in

Does OU not have anything to do with geographic location of the device, i.e. just by moving it an having it hooked up to a switch in a different office, doesnt affect which OU it is in.

And also, can a user/PC be in more than one OU?

I don't know if there is a way to see if a pc has changed an OU, but becuase it is a manual action you may need to introduce a procedure in your organization.

PC's cannot be member of multiple OU's. OU's are nothing more than a way to easify administrative tasks, if this makes things not easier for you you may need to introduce a ne OU structure.

You can ofcourse create an OU in a OU and another OU below that level, GPO's are applying down the tree so if a pc is in the lowest OU it will get all GPO's from the above OU's

Thing that confused me about multiple OU's was output of grpresult

COMPUTER SETTINGS
------------------
    CN=removed,OU=Computers,OU=Laptops,OU=mydept,DC=removed,DC=net

An Organizational Unit (OU) is a container which gives a domain hierarchy and structure. It is used for ease of administration and to create an AD structure in the company’s geographic or organizational terms.

Here is an example of an OU structure
http://learnthat.com/files/2008/07/image003.jpg

in your case the OU structure would be:
Mydept, Laptops, Computers

On all levels you could setup gpo's, if a gpo is set on the mydept ou it applies to all objects of that OU but also on Laptops and computers. When a gpo is set on the computers OU it only applies to objects in the computers OU.

hope this clarifies how the OU's work