To have a powerful login script, it becomes pretty complicated though - compared to how easy it is to do in Group Policy.
As far as the original topic, I agree with using email address as login names. I would also make the usernames "guessable". That way if you know one employees email address is firstname.lastname you have a chance at guessing another employee's email address. Let's face it, spammers are going to get it anyways, so you might as well make it easy on your clients.