Prevent Computer Join (2016 Servers) to 2012 OU in AD

Hi Experts,
Would it be possible to prevent 2016 servers from being joined to a 2012 OU within AD?

I tried creating a GPO with deny access to this computer UR with Administrators, Administrator, Domain Users, Remote Desktop Users with WMI filtering set to 2016 only and it did not work.

Any suggestions??

Thank you!
IT_Admin XXXXAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

by default when you join servers / computers to AD, they join to computers container

Now admin need to move these accounts in appropriate OU if required

By default administrators / domain admins have full control on all objects of AD and member of these groups can move accounts
U cannot restrict these groups
Apart from these groups nobody can move computers from default computers container to other OUs unless you grant permissions to do so explicitly

The other option is prestage computer account in specific OU and then when you join workgroup computer with same hostname as prestaged, it will join to AD and pickup prestaged account, for this also you need domain admins or delegated admin to create computer account

If you could explain what exactly your requirement, we can isolate the issue
IT_Admin XXXXAuthor Commented:
Thanks Mahesh, We are trying 'NOT' to allow 2016 servers to join the 2012 OUs. That's pretty much it. It's for pre-monitoring and auditing purposes. We would like to be proactive vs. reactive. Thanks!
it will not unless you manually move it
note that you cannot block domain admins from moving accounts from one OU to other, that's not possible by any means
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

IT_Admin XXXXAuthor Commented:
The folks that are 'moving' or 'joining' the servers are users with elevated accounts (meaning have been provided create child/delete child) ACL rights to that OU and not Domain Admins... It still not possible via a GPO?
Shaun VermaakTechnical SpecialistCommented:
Why do you have OS specific OUs? I wouldn't. Use WMI filtering/item level filtering to target computers based on OS
IT_Admin XXXXAuthor Commented:
Why? It predates me so have no good answer for it. Yes, I do have WMI filtered GPO but it only stops/preventing users from RDPing to the 2016 machine in 2012 OU ( i know it is dumb) but doesn't stop server/build administrators from joining them.
Shaun VermaakTechnical SpecialistCommented:
So, do you want to prevent any 2016 from being part of the domain or do you want them in a specific OU?
For the latter, you can run PowerShell at an interval to move them and the former to delete them. No seamless solution.
IT_Admin XXXXAuthor Commented:
Just preventing 2016 to be moved/joined to the 2012 OU exclusively....
Shaun VermaakTechnical SpecialistCommented:
You can only do that with something that monitors computer accounts and then places them to get correct OU, similar to this

If that would work for you, we can post a Powershell etc. to do this

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

Are you installing your servers manually?

If you have an automated/unattended installation process, then maybe you can modify your installation code and add these restrictions there?
Otherwise, there is always a way to apply the restrictions you want in AD, but it can be done properly only if you do not use the Enterprise or Domain Admin accounts to join the servers to the domain...
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Shaun Vermaak (https:#a42522921)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.