The out of the box AD integration sets everyone to the default OU. You have a couple of options, if your IT users sit in a different AD OU a second LDAP import can be configured to import Them to your IT OU in HEAT.
The other options, use a field in AD to determine the OU, use a search and link rule after import to look at the users department for example and then move the a different OU.
Thats a few off off the top of my head.
We let AD update the branch rather than the OU. That way the users stay where they are put on creation. We did add some qualifying fields as well so that we know where they are from etc.
Remap the LDAP update to another field basically