I am using SSO for Forms Authentication.
To try and simplify things for "Customers IT" I have added all users to AD Groups based on roles.
I have added the AD Groups to LFDS Groups.
The LFDS Groups have been given permissions to Forms.
Users are not syncing with FORMS unless they are explicitly added to the LFDS Group being trusted by Forms vs being in an AD Group which has been added to the LFDS Group.