I've got a situation where a group wants a few users access removed from
certain folders. Right now their whole context is assigned rights to
the folders.

If I add the user in question as a trustee and remove all of his/her
rights, they still have rights to the folder because their OU has rights.

The workaround I see is to remove the OU's rights and assign the others
rights directly leaving out the users in question, or adding the others
to a group and giving it rights.

Is there a better way to do this?