diff --git a/src/authentic2_gnm/__init__.py b/src/authentic2_gnm/__init__.py
index 9193f8c..e23a48c 100644
--- a/src/authentic2_gnm/__init__.py
+++ b/src/authentic2_gnm/__init__.py
@@ -15,10 +15,25 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import django.apps
+from django.conf import settings
+
+from django_rbac.utils import get_ou_model
+
 
 class AppConfig(django.apps.AppConfig):
     name = 'authentic2_gnm'
 
+    def a2_hook_auth_oidc_backend_modify_user(self, user, user_info, **kwargs):
+        ou_map = {ou.slug: ou for ou in get_ou_model().cached()}
+        # move user to the correct organizational unit
+        user_ou_slug = settings.CUT_GNM_OU_MAPPING.get(user_info.get('ou'))
+        if user_ou_slug:
+            user_ou = ou_map.get(user_ou_slug)
+            if user_ou and user_ou != user.ou:
+                user.ou = user_ou
+                return True
+        return False
+
 default_app_config = 'authentic2_gnm.AppConfig'