@Nils- yes, makes perfect sense, thanks for the detailed explanaiton

@SQLDBA360 - I agree 100%; we are trying to get away from local groups and move to AD authentication but that process moves slowly in my organization; this is (hopefully?) an interim solution.

thanks for the responses, everyone...