Here a example if you want to create a explicit rule for NOT in AD group X.
A user with..
- authentication 802.1X PEAP
- NOT in AD group Team (checkmark invert on the right)
- end system group WLAN_Team
- Location Zone Home & SSID Secure Access
will get a Deny Access Rule
So you set the "invert" to reverse the rule = NOT in this AD group