Chapter 3 Authentication for FortiOS 5.0 : Agent-based FSSO : Configuring the FSSO Collector agent for Windows AD : Configuring Windows AD server user groups
  
Configuring Windows AD server user groups
FortiGate units control network resource access at the group level. All members of a user group have the same network access as defined in FortiGate security policies.
You can use existing Windows AD user groups for authentication to FortiGate units if you intend that all members within each group have the same network access privileges.
Otherwise, you need to create new user groups for this purpose.
 
If you change a user’s group membership, the change does not take effect until the user logs off and then logs on again.
 
The FSSO Agent sends only Domain Local Security Group and Global Security Group information to FortiGate units. You cannot use Distribution group types for FortiGate access. No information is sent for empty groups.
Refer to Microsoft documentation for information about creating and managing Windows AD user groups.