@Nils- yes, makes perfect sense, thanks for the detailed explanaiton
@SQLDBA360 - I agree 100%; we are trying to get away from local groups and move to AD authentication but that process moves slowly in my organization; this is (hopefully?) an interim solution.
thanks for the responses, everyone...