Should we remove users in excluded groups

Right now, we simply do not manage the excluded groups with the sync script. This was the initial interpretation of requirements, but chats w/ @cguindon brought up that this might be too lenient. We may want to strip users from these subgroups still so that only committers can push/write to these repositories. This is separate from the ECA requirements, and would not impact those checks at least. @wbeaton thoughts?