I had a somewhat similar problem where i wanted to create a query for alerting on brute-force attempts against users in specific "high risk groups". A user then came up with this solution:

This way you can have a updated table of the high risk users from our AD, then you can join other tables to cross reference activity regarding changes to group membership.