This is not possible with Windows Domain authentication. Instead, try TeamCity LDAP authentication, which is more capable and supports AD. Correct configuration may still require some effort, as well as trial and error. Here is an example that allows you to enter only one AD group.