Hello,
I agree with Greg's comment.
First, if I were to move all of these systems into this new group, would this have any effect on Active Directory replication as it's tied into it?
All clients would be moved to the new group created. Here is an understanding of Priority of Group and Organizational Unit
The Organizational Unit structure and all of the accounts in that Organizational Unit can be imported from and synchronized with Active Directory. An Organizational Unit will be placed in the group as an element of the group just as a computer or user account. An Organizational Unit can be considered as a special type of group. Group Policy Profiles can be applied to the Organizational Unit. The name of the Organizational Unit and the computer/user account within that unit cannot be modified. The computer/user account in the Organizational Unit can be copied into only one group. (Duplicating a computer/user account is not allowed in the groups). The computer/user account may exist in a group and in an Organizational Unit at the same time. Since the group has a higher priority than the Organizational Unit, the client will use the profile of the group instead of the Organizational Unit if the computer or login user of the agent exists in both the group and the Organizational Unit.
Note: Temporary Group has lower priority than Organizational Unit. This is an exception.
Reference:http://www.symantec.com/docs/TECH102546
Second, if I were to allow the user to create their own exceptions, are there any type of logs I can reference to make sure no additional exceptions have been put into place?
Lets's say you allow the user to create their own exceptions, then you may check the System Logs >> Client Activity from the Symantec Endpoint Protection Manager.
Client Activity provides information which includes items such as event time, event type, event source, domain, description, site, computer, and severity.
Check this Article:
About log types
http://www.symantec.com/docs/HOWTO27271
Additionally, anything that has been added in general to the firewall exceptions.
Check these Articles:
About the Symantec Endpoint Protection firewall
http://www.symantec.com/docs/HOWTO55247
Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation
http://www.symantec.com/docs/TECH180569
Hope that helps!!