How can I "grant rights" to a minor admin, say allow run scan, update content, etc. - but prevent them from moving a computer from one group to another?
They keep moving computers into a group with lesser restrictions which causes the users to be able to do things they should not be allowed to do - and then they leve the computer there even though I've said "don't do that!" . They need rights so they can trigger scans, force policy updates or content updates, turn on functionality it needed and all - but I want to prevent MOVING the computer from the normal group where computers belong and into the test group where they should not be for the END USER. It's fine if IT staff is testing, but no end user should be on a computer in that group. That's what I need to do- prevent moving of computers of end users into the group.
Is that possible ? allow almost everything, but block computer moves between normal group to test group.