*Addendum*
We modified the Base DN and the Group Base DN of the domain identity source to a specific OU. That does not prevent any and all domain accounts from establishing a session with the vSphere Web Client. All it does is prevent users not in said OU from being able to access any vCenter system registered with the Web Client, even if they have the rights to access it.
Again, I cannot believe that VMware would not have instituted some level of authorization checks at the Web Client level.
-Bill