Default groups

So I am trying to do something kind of tricky and I hope someone here
can point me to a resource to do this.

I have accounts which are auto-created and authenticated via LDAP
I would like any account created this way (used LDAP overlay from
site) to belong to a group, and be privileged. It should reject
addresses which have the @domain.com email, but aren’t in the LDAP
directory.

Any other email not belonging to the domain should be created as an
unprivileged user.

Is this possible? What would it take?

Thanks,

Jonathan