• Thanks for the responses.

    While the logins are unavoidable, I was trying to avoid creating 700+ corresponding database users (groups, in this case). Lutz's response shows it's possible, but... from BOL on sp_addrolemember:

    "If the new member is a Windows-level principal without a corresponding database user, a database user will be created but may not be fully mapped to the login. Always check that the login exists and has access to the database."

    So while possible to avoid creation of DB users, it doesn't sound like a "sure thing".

    At any rate, I've automate the administration using Powershell, so it's mostly painless now.

    Thanks again,

    P