AFAIC, there is a fundamental shortfall in the way 'available credentials' are listed when attempting injection on an endpoint.
The desired behaviour would be that only the related credentials would be listed, rather than the full list of those that the operator has permission to inject.
To my mind, a sensible logic function should be added at the point of processing / creating the dropdown list to show only matching credentials where the domain suffix (i.e. the string before the '\' delimiter) in the credential matches the domain on the target machine.
This logic would only work against domain devices, but would provide a significant reduction in the visible noise when there are thousands of listed credentials, many very similar.
Given this, the easiest approach (and surely the easiest to implement) would be to display the credential Comment attribute instead of the username;
- Import a credential (domainA\user) with a password comment of "Business A Admin"
- Import a credential (domainB\user) with a password comment of "Business B Admin"
The backend functions / links to objects themselves should not need to be addressed, but when the injection list is rendered it displays the associated comments ("Business A Admin" and "Business B Admin") instead of the credential itself.
Where there is no password comment; display the credential. This change would allow existing instances who don't have the comment attribute defined to continue as they are working, but would allow estates such as ours the ability to easily see the appropriate credentials to be utilised.
...Of course if a filter was added to this as well, the solution would be absolutely perfect.