Extend ntlm_auth to make it return user groups, for use in the authorization stage, and this in turn could be hooked into Apache security (mod_ntlm_winbind) to allow or disallow access at the GROUP level instead of the USER level.
isn't this fixed now (in 3.0.11)
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.