Regardless which option you use, you should have the following 3 groups:
Eventually you will discover that active directory will soon become overun with these groups and it can become difficult to identify which groupds are associated with which CRM organization.
Being able to identify these groups is very useful when investigating permissions and security related issues. You can use a simple SQL query against the "Organization_MSCRM" database.
select ReportingGroupName, SqlAccessGroupName, PrivReportingGroupName from Organization