I don't know if this helps, but I have added rules successfully before that check AD accounts exist and are in a certain group. After "joining" CPPM to the domain, you can do it via LDAP stuff. Granted, I was doing the auth/password too, but that shouldn't matter in theory.
Anyway, the two key authorization parts I think you need in your authorization "source" configuration are...
"userAccountControl", which usually returns 512 if the account exists and is active. Here's a link to the values it uses.
http://support.microsoft.com/kb/305144
Then you can use "memberOf" to check it "contains" the group you're looking for.
I suspect it's then just a case of setting the enforcement policy to give the outcome you want (regardless of auth fail/pass). Can you describe what it is you want CPPM to do, in the event of certain values being found, regardless of the password?