Sounds like you are missing a destination address and destination service. If you are using a URL filter you can just use "All" as your destination address and tcp 80/443 for service. The URL filter will restrict what web sites can be visited.

 I had meant to include these.  The first one shows the message that comes up in red.

Hello

Add the Source Subnet Object to the Source Attribute as well. Or use the "all"-Object for testing.

You need an address, FQDN Object always, the user object is on top.

I hope you are able to solve your issue with this hint.

"The URL filter will restrict what web sites can be visited."

I thought the idea was to add ALLOW and not BLOCK - which is the default overall.  So, expand, not restrict.

"Add the Source Subnet Object to the Source Attribute as well" 

That seems to do the trick (I used *all*).  I could be more specific and add the subnet ranges but that should amount to the same thing.  Then how do usernames not just get overridden??

Is there a reason why domain usernames don't work by themselves?  They should be connected OK.

Or, should I be concerned that the link between the Fortigate and AD is broken to cause that?

Thank you all.  
@gfleming:  Thank you!  I appear to have it working.  So that's good.  I wouldn't have thought about the address entry.

I still have questions related to the responses I've received here. Still learning.

@haiqal:
What does IPv4DoS Policy have to do with anything in this question?  Or were you referring to something else?

@scan888: 
"You need an address, FQDN Object always, the user object is on top."
When I enter Sources and add an FQDN address group, it always shows up *below* the FQDN usernames group.  Is this in conflict?