The DisallowedADGroupsForRemoval setting allows you define prefixes of AD groups you want to deny EMU operators from removing target devices from. For example, if "EMU_APP_" is in the provided carrot separated list, a user attempting to remove a device from a group which name starts with "EMU_APP_" will instead be told removing workstations from this group has been blocked.
This field's format is a carrot separated list of AD group names (IE: "EMU_APP_^EMU_UPDATES_").
Recommended Default Values:
Group Name Prefix | Explanation |
---|---|
EMU_APP_ | This is the default prefix EMU/EMU Admin Client/EMU Server will use to publish/manage/display application deployments with. Removal from these groups should be managed by the uninstall options for deployed apps, as simply removing a workstation from the deployment collection's queried AD group will not stop the application deployment since the workstation will still be a member of the ConfigMgr collection. The uninstall options presented in EMU will ensure the device is no longer a ConfigMgr collection member. In summary, removal from deployment AD groups is not the proper way to stop deployments - so it's recommended to leave them blocked. |
EMU_Updates_ | If you are using EMU to manage your updates, it's also recommended to block your users from removing computers from the groups via the AD groups panel, for similar reasons to those stated about EMU_APP_ groups above. |