I have removed the BUILTIN/Administrators group, since our hardware people are NT admins and don't really need them rootin around in SQL. I also have created several groups, General Users, Confidential Data Viewers, etc…, but I also have a few singled out users that I assign rights to on an individual basis. Most are Admins, but on occasion we have visiting engineers that revolve around the company that require changes to their access almost daily, then they are gone. I find it easier to adjust their rights as needed then to create a group for a one time thing.