Mohammad, I think you have 2 options--
1. If--
- Your AD OU structure is designed so that OUs containing users are separate from and not descended from OUs containing computers, and
- You don't intend to use User mode for anything, and
- You want to continue using AD OUs as your Groups and don't want to have to redesign SEPM installation around non-OU Groups
--then record the Policies that apply to each Group, delete the OU-imported Groups at the top level in SEPM, and re-import only OUs whose contents are computers. Then re-apply Policies to the Groups. Thereafter, the occasional duplicate client (after a Windows reinstall, for example) will still land in the Default Group, but the workaround described in the README will take care of it pretty quickly. You can set up a Notification whenever a Client is added to Default Group so you know to take care of it.
2. If you want to start over, do as I described in this comment:
https://www-secure.symantec.com/connect/forums/ad-integration-sep-groups-computers-moving-themselves-around#comment-2437891. You won't have the duplicate client problem any more, and will still have a crude form of AD-integration.
I'm told by Symantec support that MR5 will include a SEPM database redesign, and by context, it was hinted that it is created with an awareness of this issue. So there's hope on the near horizon if you want to keep your AD-integration. Had MR4 MP2 been available 6 weeks ago, I'd probably have kept my OU/Groups in anticipation of MR5. Since I've already blown them away, I'll probably leave them blown away until MR5.