Deny creating/changing dynamic groups

Please take a look at KB82906. This article outlines the attributes that need to be granted access to in order to perform the conversion.

Thanks for the answer. I already tried that, but it did not work in our environment. The explicit deny did not work on some admin-groups - still dont know why.
I was told to try to find a way to prevent the decentralized admins creating dynamic groups that have over 5000 members. Do you have any advice doing it that way?

Thanks in advance.

just a guess. If jsmith is a memberOf AD\ARSADmins ("DSAdminitrators"), he will get all rights over AR Configuration (including Dynamic Groups) and FC - All Objects in All Managed Domains. AR Roles AT permissions is not checked against "DSAdministrator" including DENY.

Make sure, jsmith is not "DSAdministrator".

Is the request to not have dynamic groups over 5000 members due to these groups being synced to the cloud? There is a queued enhancement request (115894) for this functionality, in limiting dynamic group size. If you are able to contact support and let them know you are also interested in this functionality, the more that are looking for this can only help it become integrated into a future release.

Yes, and we also dont want the decentralized admins to create nor convert into dynamic Groups - because we want to manage all dynamic groups centrally.

Any advice on this?

"Dynamic groups with more than 5,000 objects cater high utilization on the Active Roles servers.
It can lead to a disruption of the replication on the domain controllers, which endangers the operational security." (Incident by Incident Management in our system)