I would propose a change in how Tableau Server manages Active directory synced users, when users are removed from groups, they retain their license level.
For example, I have an Active Directory Group called GrpTableauCreators. This group has all of the users that I want to have access to create and publish content on Tableau Server. Occasionally, we shift these licenses around because a user doesn't use tableau very much or they have changed Job roles and no longer need that access. The only reason this user has a Creator license level is because of their membership in GrpTableauCreators. When we remove the user from this active directory group, they will be removed from the group on tableau server as well, but they retain the creator license. I now have to manually change the license from Creator to an explorer or viewer, I would want it move them down automatically to whatever is the highest level of the next group they are in.
Another area that could use some attention is when a user is removed from all synced groups. I would want the user to move to unlicensed if they are not in any currently synced active directory group.
Right now I use a series of queries that I run weekly to identify people that I need to remove from the server because they don't belong to any synced group.