Improving the Security of Authentication in an AD DS Domain
Windows Server 2008 R2 allows you to specify password and account lockout settings for the entire domain by modifying the Default Domain Policy GPO. You can then use fine-grained password and lockout policies contained in password settings objects (PSOs) to configure specific policies for groups or individual users.
When a domain user logs on to a computer in a domain, the computer generates a logon event, and the domain generates an account logon event. These events can be audited to monitor authentication activity. By default, Windows Server 2008 R2 audits successful account logon and logon events.
Read-only domain controllers (RODCs) provide valuable support for branch office scenarios by authenticating users in the branch office. RODCs reduce the security risk associated with placing a domain controller in a less secure site. You can configure which credentials an RODC will cache. You can also delegate administration of the RODC without granting permissions to other domain controllers or to the domain.
A managed service account can be used as the logon identity for a service running on a computer. The computer automatically changes the password of the managed service account.