Active Directory Authentication static or active

Active.

It will keep displayname and email in sync. It will do an ldap lookup when the account is used to verify if the user is disabled or if the password provided is correct.

I have NOT played with group membership yet, because I don't want to break my live environment, but I have every reason to believe it adjusts groups as well.

Edit: 

I just spoke with one of the Architect trainers.  He confirmed - Group membership is also updated at each login.  Information is cached to a small extent to allow for the nice pretty displays in the system, but each login, it is updated from AD.

I want to add a bit more information, as I have a production enviroment with XG310 and AD.

First: STAS is not so efficient. I have in every workstation Arcserve UDB installed (backup software) that use a standard domain user Backup. Because of this, STAS doesn't work at all, so in my firewall 95% of traffic is reported as user Backup or, if by KB by Cyberoam (Sophos doesn't have this KB!!!) abuto CTAS (STAT by Cyberoam) if I exclude Backup login, firewall report 95% off trafic as N/A, so useless.
The only solution is to distribute sophos agent to make client do thery login and not use SSO

Second: Group using. It is dynamic at every logon, only one group is reported (probably the first) and not all the groups of the user. So take note of this

Third: You can't use group of group. For example, I have a group FW-Users, that would be all the standard users of my company. Inside of this group, for simpler uses, it would be usefull to put the main users groups (so for example if I create a new user and I add it to his OU and relative group, I haven't to add manually also to FW-Users).
This not works. You must put all the users explicit inside the main group that you want to manage on Firewall.