How can I lock down the User Portal to a specific AD Group?

Question

I am manually migrating from UTM 9.X to XG and I am really enjoying this however I can't seem to find where I can lock down the User Portal logins to a particular group in my active directory. 
 I found where I can control which adapters the user portal is available on (LAN versus WAN) but this seems to evade me :(

Leon.Friend · Accepted Answer

You can do this by modifying the "Search Queries" in the Authentication Server configuration, many engineers use a generic top level search query which will authenticate anyone in the active directory tree. (for example "dc=domain,dc=local") 
This makes initial deployment easy as it can often be difficult in some networks to determine the most effective way to limit it further. 
 
If you narrow the search query further you can limit user authentication to specific sections of your active directory tree or even down as far as a group. Care needs to be taken though as this narrows the authentication for all users of the authentication server (even SSO users, which might be authenticating via STAS or SATC) 
 
Don't forget even if you don't limit the authentication event it's self you can still limit access to resources such as the internet via a User rule in your policy base. This can be easier in that you authenticate absolutely all users and then only provide internet access to the chosen group.