Please read this (written by Pete Sutsos):
Here's what I found works with computers in SEPM's Active Directory OU's: You must move the computer out of the entire OU scope, sync, move it back into the OU, sync again, and the computer now has a "new" object of the same name in the SEPM database. You then syslink drop it.
Steps:
1) SEPM Console: Delete the computer from your Group if possible. If the computer is in an OU, you can not delete it. You then have to move it.
2) Although you cannot add/change/remove computers from the OU's using the SEPM Console, you can with the "Active Directory Users and Computers." Move (do not delete) the computer into an OU not in SEPM Console scope (this is temporary step in AD. You're not deleting the AD computer object, just moving it back and forth so SEPM picks it up).
3) SEPM Console: sync now the OU's (the computer will dissapear in SEPM under your OU's because it's not there anymore, you moved it in step #2. Note: if you have more than 1 domain controller, you may have to wait for replication before the SEPM server notices the move).
4) Active Directory Users and Computers: move computer back into your OU scoped in SEPM. Wait for replication if needed
5) SEPM Console: sync now the OU's again (it now should show up new in SEPM clients)
6) SEPM Console: Make NEW syslink.xml file for the OU. You will use this in the next step.
7) Client: syslink drop your computer with the new syslink.xml file. You should get a green dot in the console and client.
Works every time. You may see the older computer by the same name show up in database, not checking in and it will take its sweet time to fall off. That's a whole different problem well documented here."
it was posted here:
https://www-secure.symantec.com/connect/forums/move-client-group-active-directory
another this you might want to read:
https://www-secure.symantec.com/connect/forums/ad-integration-sep-groups-computers-moving-themselves-around
and:
Organizational Units from Active Directory in Symantec Endpoint Protection 11.0