...Can you elaborate on what you mean by roles/groups? We utilize database roles which specify what objects to give permissions to. However, a new user might not need access to every database where the role exists. To complicate it even more there might only be one member of the role that needs additional permissions on objects outside of what the role is given...
To build on what Steve said, a common strategy I use is to have groups in Active Directory based on what department or job function the person has in the business, and then have roles inside the database for permissions on related items needed to accomplish some work. Roles are at the database level not instance level, so you would assign an AD group to a role in each database that group needs it. For example, I work at an insurance company. There is a separate Customer Service department and Claims department. The Claims department may need read permissions to see some aspects of the customer's policy maintained by Customer Service.
Additional permissions can be given to a member of the AD group directly even if that user only has database login access through the AD group, so that should handle the special case users.