AD is (more-less) RFC2307 friendly so yes, it is possible to setup a traditional netgroups in AD - I did not verify its functionality with sssd though.That's true. You can probably set up netgroups and use pam_access.so to accomplish this. I don't know anything about setting up netgroups on Active Directory, personally.