>>>So the challenge for me is to associate the AD user with the application User Group. Therefore, the entire User List with ability to assign to various User Groups has to be changed. The application than should allow admin person to add a user from AD to the application and then associate this user with the User Group. Not a trivial task.
>
>We also have app-level privs, but most users have the same AD username as app username. So when they do an AD login, they get the privs exactly as now. When a new AD user tries, the system adds them to the user table with an "attempted login" flag which is quite good for detecting potential hacks and makes it easy to find them so you can add privs if they're legitimate. I agree it's trickier if app username doesn't match AD username.
>
>The other option is to create groups in AD with app privs set according to group membership instead of your app level privileges. Probably you could write an app that adds users to groups according to your privs tables, but that needs admin rights in AD and our customers mostly have large IT depts who sometimes treat such things as a project requiring scoping plans etc every time an AD change is requested- so there's a preference for managing app access from the app.

No way I will create anything in the AD. Not in my goal and will not add a value to the app. The most I will do is query the AD for the names and allow the customers to use these name within my app and assign them to my app user groups.
In my estimation this will take at least five grand and knowing how cheap is this customer, it will probably won't go past the quote.