Roles are the way to go.
Now is anyone mapping windows groups to roles rather than adding the users to the database and assigning the database user to roles?
For example
Windows group Parcels --> SQL role Parcels
instead of
SQL users Joe, Ted and Max ---> SQL role Parcels
Our business IT group is going that way so I'm going alway with it. But when I added all my windows users to SQL I could bring up their userid and see all the roles that user was a member of my database. With windows groups I have to query active directory which generates a list of all groups the userid is a member of. These include email groups, project groups etc. It just isn't very clean.