>>So the challenge for me is to associate the AD user with the application User Group. Therefore, the entire User List with ability to assign to various User Groups has to be changed. The application than should allow admin person to add a user from AD to the application and then associate this user with the User Group. Not a trivial task.

We also have app-level privs, but most users have the same AD username as app username. So when they do an AD login, they get the privs exactly as now. When a new AD user tries, the system adds them to the user table with an "attempted login" flag which is quite good for detecting potential hacks and makes it easy to find them so you can add privs if they're legitimate. I agree it's trickier if app username doesn't match AD username.

The other option is to create groups in AD with app privs set according to group membership instead of your app level privileges. Probably you could write an app that adds users to groups according to your privs tables, but that needs admin rights in AD and our customers mostly have large IT depts who sometimes treat such things as a project requiring scoping plans etc every time an AD change is requested- so there's a preference for managing app access from the app.