I think you should also consider using AzMan. Let the windows users and groups define the user population, and the AzMan data store can persist the provisioning data completely outside of the database.
The microsoft security team built it specifically for application-level provisioning features, it integrates seamlessly with windows users and groups, it comes with an MMC snap in for development and administration, and finally, it can be deployed as a Active directory GPO, XML file, or lightweight active directory application-mode (ADAM) object.
We use azman for our latest enterprise project, and we have zero database-related concerns for application-level provisioning. Our clients like it because their IT admin can control it through the MMC snapins, deploy it in their own fasion, and we dont have to write an administrator interface.
I dont have a specific link, but a quick search for 'azman' on google should get you started down the path.