SSH allow windows AD groups(with Special charactors)

You can do this in two ways. One is to let the SSH configuration filter, and the other is to use pam_access.

Using SSH configuration

To /etc/ssh/sshd_config, add a AllowGroups line:

AllowGroups Domain Admin

From the manpage:

AllowGroups
    This keyword can be followed by a list of group name patterns,
    separated by spaces.  If specified, login is allowed only for
    users whose primary group or supplementary group list matches one
    of the patterns.

Domain Admin here doesn't match Domain Admin the group name, but two separate groups Domain and Admin. You'll have to use something like Domain*Admin and *it_admin, since neither (space) nor (#) are usually valid characters in Linux groups. To be on the safer side, use ? instead of *: Domain?Admin and ?it_admin, so that only one character is allowed by the wildcard. You can also add a pattern-based DenyGroups section. See the PATTERNS section in man ssh_config.

Using pam_access

Add lines to /etc/security/access.conf of the form:

- : ALL EXCEPT (Domain) (Admin) : ALL

There are plenty of comments in that file which document how to use it. man pam_access is quite bare, so most information would come from those comments. pam_access is more powerful in that it can control non-SSH logins as well (TTYs, GUI, etc.). This particular line, for example, should deny any user who does not have Domain or Admin as a group from logging in at all (unless other lines allow them).

Both approaches are pretty flexible, and I don't know the pros and cons, so no recommendations.