A very simple kixtart mechanism allows you to create (NT)"active" groups, combining access permissions and scripting. The engine script resides in netlogon, the scripts called for group membership are stored elsewhere, allowing script admins do their job without the need for write access to netlogon.
process group scripting, generic trick
part of script stored in netlogon share
rtscript points to read-only connected disk
enumerate the groups that user is member of
and check if is there is a script with that name
the 100 test is just a safeguard to avoid endless loops
while $group and $groupcount < 100
$script=$rtscript + "groups" + $group
$groupcount=$groupcount + 1
append .txt to create the name of the script for easy editing
$script=$script + ".txt"