What are the best practices for adding and removing users/groups to /etc/security/pam_winbind.conf?

in particular I am looking to manage the require_membership_of field in /etc/security/pam_winbind.conf through ansible.

make successful authentication dependend on membership of one SID

(can also take a name)

require_membership_of = user1,group1