Unable to remove the "Add" button from the MemberOf tab of a User or Group
Even with a Deny-write permission applied to the MemberOf attribute of a User or Group object, an initiator can still click on the Add button on the MemberOf tab and browse for a Group (with the appropriate view permissions). Instead, an error is encountered when attempting to add the Group.
It is not possible to remove or grey-out the Add button on the MemberOf tab due to Active Directory design.
The Members attribute is a true attribute, containing DN's of Users or Groups. MemberOf is a computed attribute, back-synced from Members. This means that in order to remove the Add button from MemberOf, we would have to query write permissions on the Members attribute for every Group in the Domain, every time we displayed the MemberOf tab. This operation would be too slow and too expensive to implement.