@AndyC:And, there are some funky rules about which groups can be members of which other groups.  It's super fun when you want employess (with AD accounts) and customers (without AD accounts) to use the same systems.

I'm seriously hoping that once single sign-on becomes more ubiquitous, we can get away from all of that funkiness.