Groups in AD become the roles for the users. When using AD without a database in hybrid mode, the roles match exactly. So if they belong to a group named "Domain Users" they'll also now have that role you can use in permissions and other security scenarios.
Here's a recent discussion/scenario I brought up and the solution to it in the case where standard graphics are made to work with a standard set of roles but AD groups/roles don't match the names.