There are two ways to handle this. In either case, the user will obviously have to have AD credentials.
The first way is to not bind (join) the Mac to Ad. In this method the user logs into the Mac with a local login and then when he needs to access network resources will be prompted for AD creds. There is a check box in these prompt windows to allow him to specify that those creds are added to the Mac keychain which will eliminate the prompt for creds for that resource until the password changes. Which points out the major downside of not binding to AD. There is no way in OS X to change the AD password so unless he also access a PC at some point this becomes an issue.
The other way is to bind to AD. In this method, the computer account becomes a part of AD just like any computer and he can log in with AD creds. The login screen may present in a number of ways depending on how it is configured on the Mac. One way is that he would simply enter his AD creds. The other way is that there will be an icon called Other and after clicking on that can enter his Ad cdeds. Unless using the icon method, you should make sure that the local user name and the AD user name are different as OS X defers to local user account.
AD can not fully manage a Mac user's AD account, but these basics as I have outlined above do work. I am including a link that will give the basics on how to bind the mac to AD. A couple of things: the article talks about accessing the directly utility directly. This works, but the "correct" way is to access it through the system preferences network app. Also, you may have to supply admin creds on the Mac in order to unlock he padlock on the AD config window to make changes. And obviously substitute your domain info for what's in the example.
http://helpdesk.wisc.edu/ams/page.php?id=12248