If you make sure that your lookup values have known delimiters, then you can do it like this. Let's assume you are using a pair of colons ( :: ) to make your list and your input files look something like this (notice the delimiter on both ends of the strings, too):

lookup_wild_folder

folder_lookup,server,group_lookup,user_lookup,file_exceptions
some_folder,some_server,::group_A::group_B::group_C::,some_user,::exceptions_A::exceptions_B::exceptions_C::

Then you can do your search like this (untested but should work):

index=wineventlog sourcetype=WinEventLog:Security EventCode=560 OR EventCode=4663 OR EventCode=5145 NOT user=*$ | lookup lookup_wild_folder folder_lookup AS folder_name, server AS host OUTPUT group_lookup user_lookup file_exceptions | eval user=if(isnull(Object_Name),null,user) | eval user=if(match(Object_Name,folder_lookup),null,user) | eval user=if(match(user_lookup,user),null,user) | eval user=mvfilter(if(mvindex(split($file_exceptions$, "::" . $Object_Name$ . "::"), 0)) != $file_exceptions$)) | table user host folder_lookup folder_name Object_Name Message group_lookup | ldapfilter domain=default search="(sAMAccountName=$user$)" attrs="memberOf" | rex field=memberOf "^CN=(?<group_name>[^,]+)" | eval user=mvfilter(if(mvindex(split($group_lookup$, "::" . $group_name$ . "::"), 0)) != $group_lookup$)) | search user!=null | table user host folder_lookup folder_name Object_Name Message group_lookup group_name