I mentioned earlier that I prefer to not define policies at the domain root level unless they need to apply to everything in the domain, which means applying them at OU level.

The problem is that by default, newly created users or computers are not in an OU but in the default users or computers containers, which are just cosmetic. Whatever is in them is logically still directly in the domain root, and so no policies would apply to them by default.

Therefore it’s a good idea to redirect those containers, so that users end up in an OU for users, and computers in an OU for computers. Windows makes this a trivial action with the redirusr and redircmp commands: