HOW TO: Restrict Group from being Added to Specific Groups (4256494)

The following steps can be taken to create a workflow to restrict adding a group to specific groups:

1. Create a new Change Workflow
2. Expand the Workflow options and start conditions and click Configure
3. Click Select operation...
4. Change the Target object type to Group
5. Select Change membership from the list and check off Add member to group
6. Click Finish
7. Click OK
8. Drag over an If-Else activity and place it ABOVE the operation in the workflow
9. Drag over a Stop/Break activity and place it INSIDE the LEFT If-Else Branch
10. Right-click the LEFT branch labeled If-Else Branch and select Properties
11. Click the green circle with the white + (plus symbol) on it to add a new condition
12. Click Configure condition to evaluate... and select property of added group member...
13. Next to Target property, click Click to choose and select More choices...
14. Find Distinguished Name in the list and select it then click OK
15. Click OK
16. Click Define value to compare to... and select Fixed object in directory
17. Browse for the group to restrict being added to other groups and add it, then click OK
18. Click the green circle with the white + (plus symbol) on it to add a new condition.
19. Click Configure condition to evaluate... and select property of workflow target object...
20. Next to Target property, click Click to choose and select More choices...
21. Find CN in the list and select it then click OK
22. Change the conditional equals to contains
23. Click Define value to compare to... and select Text string...
24. Type the text that shows up in the group names that you want to disallow; ex. SCCM
25. Click OK
26. The most important step is click the Save Changes button to commit the above changes or the workflow settings will be lost

The last conditions could also be 'equals' and set to a specific target group.  This can also be repeated to add additional groups to restrict being added to.

At this point, the workflow is complete.  You have the option to customize the error message by double-clicking the 'Stop/Break' activity but this is not necessary.