Here in this topic Why do I see a bunch of other networks outside my factory, moreover my country? was about the left DHCP. There I wrote in the comments the search algorithm, provided that the switches are unmanaged (everything is much simpler with managed ones). There he is:

We proceed from the fact that there is a left DHCP server.
We also assume that the real DHCP server is your Mikrotik router (or is it not?)
How many switches do you have at the factory? Let ten or twenty, if these are small 8-port switches.
Is there a laptop on the farm? With it, you just have to run much less than without it.
You go with a laptop to the first switch (any one to choose from).
1. determine which of the cables in the switch is an up-link, i.e. goes towards your main router. If it goes to the router through several intermediate switches, it doesn't matter, it's still an up-link. I hope it is not necessary to tell in detail how to determine? :) Mark this cable with electrical tape (if it has not been marked yet).
2. pull out the up-link from the switch and hook the laptop to the switch. On a laptop, look at one of two things: either the left DHCP will issue an address, or the laptop will wait, wait, not see DHCP and choose the address 169.254. *. * There can be no answer from the correct DHCP, because. up-link pulled out.
It is better of course that the left DHCP is now caught. If you didn’t get it, then we stick the up-link in place and go to any other switch. For one or two minutes without the Internet, users (who hang on this switch) will not break off much. We know all these factories, they worked, :) the main thing is that the director does not cut off the Internet, and everyone else will suffer, if not for long. :) Although you can agree in advance, as advised above. Only in this case, you do not turn off all the computers, but simply make short-term interruptions with the Internet - mere trifles, pfft ...
3. reached the N-th switch, repeated everything, and caught the response of the left DHCP. Hooray! We pull out all the cables from the switch (and the laptop too), insert one cable (not an up-link!) And insert the laptop. We catch DHCP. No? we pull out the laptop, add one cable to the switch (not an up-link!) We catch DHCP. etc. Caught? we mark the last cable somehow (with an electrical tape of a different color, and we will conditionally call it an "evil" cable). Hooray! Already a lot of progress: we know that the left DHCP is somewhere on this cable (if we are not mistaken, it is better to check again right away).
4. further on the situation: is it possible to stupidly go along this cable and reach the next switch? Fine! We go and there we repeat everything from point 3.
5. There is no way to trace the cable, for example, a bundle of cables goes into the wall or ceiling. Then we pull out the "evil cable" from the switch and walk around the plant - we are looking for a room with computers on which the Internet has disappeared, or immediately a switch on which the indicator on the up-link is off. Did you find such a switch? We check: we stick in the "evil cable", we return to the found switch. Got an uplink? it means they weren't wrong. We repeat point 3 on this switch.
6. If we are confused and there is no strength to look further, then we leave the last (only the last!) Found "evil cable" pulled out. Since it is not clear where he is going, we are sitting waiting for which of the users will begin to complain about the lack of Internet. How to complain - we go there and look for a switch. And if no one complains, then to hell with him. After all, we isolated the source of problems from the local network,
Everything! end of search algorithm! As a result, they should come to a device with a left DHCP.

Script for mikrotik or dhcpdrop

I won’t tell you about Mikrotik, but on many routers you can block access to the mac address. And you can, if the configuration allows, allow access to the rest of your mac addresses, and prohibit all unknown ones. This is in case he starts changing the mac address...

The inheritance inherited a network of 82 PCs scattered over 7 floors of the building. Mikrotik RB750GR3 was delivered and configured

In such a situation, no way. You can't block with software.
As an option to catch a pirated "DHCP" mac, see who the manufacturer is, and go check the computers for the presence of a poppy address. This is when viewed from the side of the network.
Perhaps there are settings in the operating system for DHCP priority, you need to google.
However, without central infrastructure management, that's still a challenge.

The feature is called "DHCP Snooping", and it needs to be configured in the "network switch". What it does is allow DHCP responses only on switch ports that are configured as "authoritative". This is usually the port where the router or server with DHCP connects to, and all other ports are configured as "untrusted".
Just check your network switch (specifically your model) if this feature is present in it.
Here is a link to the official Mikrotik Wiki page...
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge

What's the problem? get the address from this dhcp understand the address of the distributor. connect to it. understand the equipment. look at his mac (and if the switches are managed, you will find which port is plugged into) from here it will be clear where the legs grow from. and blocking if you do not have a central switch that resolves everything will not work