The people accessing these VMs are my team (admins) as well as various developers. The number of unique users is enough to where managing local accounts wouldn't make sense. Also, there's SSO involved with many of our company's resources and AD is basically the source of truth for that.
There's a good bit for me to think through, in particular if it's worth using FreeIPA / IdM for authentication for these VMs and have FreeIPA / IdM have a trust with AD, which as of right now the answer to that is "no, it's not worth it." Thus, likely what's going to happen is going to be using sssd to work directly with AD, which brings up the though of the best way of handling user and group IDs.
I'm not aware of any kind of native way to generate unique
gidnumber when creating an AD user; thus, I think the way to go will be just letting sssd handle ID mapping, but I was curious if there is a reason I'm not thinking of that would make sense to not have sssd handle ID mappings.