APMDZ stick into each system unit

Domain. In the local administrators group, leave only the administrator from the domain.

Exclude loading from the left media, and the ability to access the HDD.
That is, the password for the BIOS, and the actual sealing of the case.
The alternative is encryption.

Encrypt disk is the main method

If there is no competent specialist on site who will follow, it's all empty.
But how I did:
1. Password or BIOS
2. Prohibition to boot from something else
3. On the body - a lock and a seal
4. An unresolved problem - the hotkey on the boot option sometimes does not turn off
You might think about putting stations into terminal mode , you can already see it.

The minimum alignment (as written above):
1. Disabling booting from any media other than HDD
2. BIOS password + sealing cases.
3. Disable local admin. You can turn it on later from any boot disk. You know the BIOS password
4. Administrative measures. That is, caught red-handed to punish with deprivation of bonuses or other bonuses. IMHO the most efficient method.
But first you need to convince management of the need for these measures. Otherwise, problems may arise, you already have.
I wouldn't encrypt. This is a very big hemorrhoid. Fuss a lot, there is a risk of data loss. Additional load on workstations, etc.

Usually I put a password on the BIOS and allow it to boot only from the disk.

If you have physical access to a computer, which you don't, there will be a craftsman.
Install disk-free linux terminals, and drive users to the terminal server and that's the end of it.