The general answer is no. The correct procedure is to make more refined groups to assign a User ID to for FileMaker privileges. Usually the default company groups are not refined enough for the privileges I need in FileMaker and I usually have to add a number of Active Directory Groups just for FileMaker privileges. I have a habit of preceeding them all with "FM_" so I know which ones oare FileMaker groups.
While you can't change privileges directly, you can always "Get ( AccountName )" to find the User ID logged in and use a Script to perform actions in "[Full Access]" mode that they couldn't normally under their privilege group. Or you could have a script log them out into a special privilege group automatically based on their current User ID.
There are some scripting workarounds, but they often are not great and sometimes there are ways to work around the security that you dont' want done. That is why using Privilege Groups the way they are supposed to be used is best.
I often get the User ID to do some custom things for an individual like someone who always wants their screen zoomed to 150% or resized a particular way on startup or to run a special report and you don't need a Privilege group just for that. Just use the "Get ( AccountName )" to see who is logged on to make the script do something for that particular person.
And lastly, I'm guessing if a user is in multiple AD groups, the one which is listed first on the "Accounts" screen is the one the user will be authenticated by, correct?
First on the "Accounts" screen when you look at it in "authentication order", that's a choice at the lower right corner.