Right now groups synced in from Active Directory allow adding devices manually, but they are removed on the next sync. This has resulted in some confusion where I work with people attempting to add devices to these groups through Theopenem instead of through AD. Disallowing the addition of devices to these groups would help reduce confusion greatly.