There are different levels of Active Directory server access that you can set: access to those coming in through network shares, access to those logging on at the console or access to those logging on through a remote desktop session.
You can set access for those coming in through the Windows network by sharing the particular folders of interest. When logged on to the server, right click any folder and select Sharing. Give the share a convenient name, such as "Financial," and set the permissions. You'll most likely want to provide Full Control to Domain Admins and the accounting groups. The Backup Operators group probably won't need control at the share level.
You can also control who has the ability to log on to the console. When you join the server to the domain, the Administrators, Domain Administrators and Backup Operators groups are automatically assigned the permission to log on locally. If you also want members of the Accounting group to have this right, go into the Local Security Policy console from Administrative Tools in the Start menu. Then drill-down into the Local Policies > User Rights Assignment node and find the entry for Allow Log On Locally. You can add the domain Accounting group from there.
And finally, if you want the Accounting group to be able to log on through a Remote Desktop session, then go into the Computer Management console, drill down into System > Local Users and Groups > Groups. Then, add Accounting to the Remote Desktop Users group.
This was first published in November 2007