When our environment was built, there were no entitlements and all users and groups were synchronized (using policy as a gate). We eventually moved to the role/resource model, and then enabled PCRS. There is now a desire to synchronize the membership of a few specific groups between eDir and AD, but it appears that enabling PCRS precludes this.

Is there a way to entitle groups to be eligible to sync, or a best practice to somehow react to the resource change in order to keep the membership of these specific groups in sync? (Membership is managed on the AD side in this case)