There are three possible configurations that will work here:
1. Exclude Admin Accounts from Group Inheritance:
Remove the flag "Groups can be inherited" (ADSAccount.isGroupAccount) on one of the AD accounts. This only interrupts indirect assignment.
2. The MatchPatternForMembership mechanism:
Define an item (which is an array of bits) for the accounts and for the groups. And an account will become a member of a group only when the bitmask matches. If a category is not defined for one of the user accounts, that would inherit because the system would decide it was not participating in pattern matching.
See Inheriting Group Memberships Based on Categories
for more information.
3. Through the Web Portal:
Define a dummy product with a parameter prompt where the Employee can choose which account to take in case there are more than one. This step requires significant customization because the dummy product is required; it must be possible to enter an account; and the process on final grant on PersonWantsOrg is required to handle this request and assign the group directly to that passed account.