Great article. When I read it, it reminded me of something I have never understood about windows logins.
Say I have active directory with user "U" who belongs to 2 security groups, "GrpA" and "GrpB". I create 3 windows logins on SQL Server for "U", "GrpA" and "GrpB". Now when "U" logs on to the server which login is being used? And if I drop the login for "U", the user "U" can still access the server via a group, but which one?