Provide 2 different Token Timeouts for User and Groups. With the default TokenTimeout settings, updates to Active Directory Groups aren't reflected until 24 hours after changes are made. This is a serious risk when a user's permissions are removed from a site. By allowing different settings for Users and Groups, we could refresh just the Group Token Timeout to a more acceptable time for my company without impacting the User Token Timeout.