Our marketing department comes back with "active directory integration" being a key customer request, but our company does not seem to have the attention span to (1) decide on what functional changes we want to make toward this end, (2) interview a broad range of customer to identify the most requested functional changes, and (3) still have this be the "hot potato" issue next week. To help me get beyond the broad topic of "active directory integration," what does it mean in your .NET app, both ASP.NET and WinForms?

Here are some sample changes I have to consider:

1. When creating and managing users in your app, are administrators presented with a list of all AD users or just a group of AD users?
2. When creating new security groups within your app (we call them Departments, like "Human Resources"), should this create new AD groups?
3. Do administrators assign users to security groups within your app or outside via AD? Does it matter?
4. Is the user signed on to your app by virtue of being signed on to Windows? If not, do you track users with your own user table and some kind of foreign key into AD? What foreign key do you use to link app users to AD users? Do you have to prove your login process protects user passwords?
5. What foreign key do you use to link app security groups to AD security groups?
6. If you have a WinForms component to your app (we have both ASP.NET and WinForms), do you use the Membership Provider in your WinForms app? Currently, our Membership and Role management predates the framework's version, so we do not use the Membership Provider.

Am I missing any other areas of functional changes?

Followup question

Do apps that support "active directory integration" have the ability to authenticate users against more than one domain? Not that one user would authenticate to more than one domain but that different users of the same system would authenticate against different domains.