I have an AD connector setup to allow Users and Groups to flow from the IDV
to the AD. I've restricted only certain groups (by checking the CN) from
being able to flow. Users in AD gain membership in the appropriate groups
based on their membership in the same group in the IDV.

What I'd like to do now is restrict the creation of user accounts in AD to
only those accounts that are members of the appropriate groups in the IDV.

So if there is a group, Group1, and there are two users, User1 and User2,
and User1 is a member of Group1 - then only User1's account should be
created in AD.

I imagine that the best place to do this will be in the matching/create
policies, but I can't seem to figure out how to do either of the following
tests at that point:
1) Whether 'User1' contains 'Group1' in its 'Group Membership' attribute.
2) Whether 'Group1' contains 'User1' in its 'Member' attribute.

Can anyone point me in the right direction to do either of the above tests
(I prefer the second), or provide me with an alternative way to do this?