Thanks for the answer, I knew that we could do this via a LDAP request. The problem is we have deployed worldwide proxies, each being member of a local domain. Setting up a LDAP request to get the User Groups would mean to request some central LDAP server, unless I am mistaken. With worldwide proxies, we will have as a consequence a very high latency for users. NTLM allows us with a single policy to have our proxies contact the closest domain controller. That's why I would rather use NTLM over LDAP.
Maybe there is a variable I do not know like $DomainController$, or something like this, that points to the current Domain Controller on which the gateways are attached to make the LDAP request?