How do I set a default user group for new users?

When users are created by default they get added to all groups with logon rights. Having different groups for different projects is one permission model, but you shouldn't make that group one with logon rights. Leave the user in the logon in group and add them to the project group. In general you shouldn't give the logon group permissions in the project because ALL users will have those permissions. The forum is full of people wanting to limit access to a project because they gave permission to the logon in group. JIRA doesn't support denying access so you can't do that. 

I prefer the project role model were the project lead adds/drops users from roles. That removes the JIRA admin from the process of giving project roles. By creating varied project roles you can have just one permission scheme for all your projects.

When you create the user, do you assign what application they should have access to? Does all those 20 groups have application access set as default? You may want to change that so if you create a user that only one of those groups is the default for the application access. Have a look at https://confluence.atlassian.com/adminjiraserver/manage-group-access-to-applications-938847042.html