Hey ​@mlajoie, I believe these are the two app definitions you are referencing?:

These are the two primary rules targeting the function of adding users via System Preferences. The specific .appex invoked when you click “Add User...” from Users & Groups is referenced in the bottom definition (UserGroups.appex).

Out of the box using the Quick Start policy, a High Flex user shouldn’t be able to add a new Admin User without providing a valid Challenge / Response code -- but if you wanted to simply block that action, then a block rule as you’ve described should do the trick. Specifically:

Type: System Preference Pane
File/Folder Name: /System/Library/ExtensionKit/Extensions/UsersGroups.appex
AuthRequestURI: *

Hi Neal. Thanks for responding.

Yes - those are rules.  Adding a new user isn’t the problem - it’s converting from a standard user to an admin.  The logged on high-flex user will navigate to that preference pane and can make themselves an admin by toggling the switch and then rebooting.  Once they come back online, they are local admins.

We’ve blocked it so the user can’t toggle it any longer, as described above.  I was just checking to see if there was a different way we may have been missing.  Glad to see we were on the right track.  Thank you!