It is possible to mark either specific groups, or all groups within a particular Active Directory container as being ineligible for access requests.
To exclude groups:
WARNING: One Identity does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Edition and how to back up and restore it, refer to Microsoft Article ID 256986 "Description of the Microsoft Windows registry" at https://support.microsoft.com/en-gb/kb/256986
In DGE 6.x: HKEY_LOCAL_MACHINE\Software\Quest Software\Broadway\Server\DeploymentData\SelfServe\ExclusionByDN
In DGE 7.x: HKEY_LOCAL_MACHINE\Software\Dell\Broadway\Server\DeploymentData\SelfService\ExclusionByDN
NOTE: The "DeploymentData" and "SelfService" subkeys may not exist. If these keys are not present, they should be created.
If you want to exclude an entire container of groups, specify the Distinguished Name of the container, with an asterisk ("*") prefix. For example, to exclude all groups in the Users container of example.com, use the following syntax: "*CN=Users,DC=example,DC=com".
NOTE: With Identity Manager it is possible to apply filters using the web designer for IT Shop, which is an alternate method of displaying the desired groups.