Unix user/group management has always looked very complex to me, I wonder if this is because
1) I've not invested enough effort understand Unix management
2) the problem is itself very complex
3) this is an historical baggage/legacy and other approaches (Plan9? Windows?) could provide the same type of services but in a simpler way..