An enterprise application needs some kind of user management and permission system, or better named Identity Managemen System or IMS. Since in TNG we store everything in the Portal File System as a Content, user identity information is also stored this way. Domains, Users, Groups, Organizational Units are all contents in the PFS. This makes it easy to show the IMS in Portal Explorer visually, and also makes it easy for end users to understand and manage. Since all content items in the PFS have access control (permissions), it is also easy to delegate group and user management to people inside and even outside the IT department.
The following screenshot shows the Portal Explorer, with the IMS folder open. Inside, there are two Domains, SN is our Active Directory domain and SNPE is the built in domain of Sense/Net Portal Engine, that even works without an AD. Within the SN domain, there is a folder with our users, "hxn" is highlighted, this is me. In the SNPE domain, there are organizational units and departments, with users and groups.
Unlike MOSS, this software handles multiple domains, with and without an Active Direcotry server behind them. Users can be assigned to any groups, and groups can be assigned to other groups, even across domain borders. As an example SN/hxn can be put into the SNPE/Administrator group. Unlike in AD, OUs also behave like groups, so permission can be granted to an OU as well, and an OU can be placed into a group.