Prior to Windows Server 2008, an Active Directory administrator was only able to configure a single Password Policy and Account Lockout Policy for any Active Directory domain.
If you were faced with a subset of users whose password policy requirements were different, you were left with the choice of configuring a separate domain or forcing all users within the domain to conform to a single password policy.
Beginning in Windows Server 2008, you can configure Fine-Grained Password Policies, which allow you to define multiple password policies within a single domain.
Kerberos is the default mechanism for authenticating domain users in Windows Server 2008, Windows Server 2003, and Microsoft Windows 2000. Kerberos is a ticket-based system that allows domain access by using a Key Distribution Center (KDC), which is used to issue Kerberos tickets to users, computers, or network services.
These tickets have a finite lifetime and are based in part on system time clocks. Note that Kerberos has a 5-minute clock skew tolerance between the client and the domain controller.
If the clocks are off by more than 5 minutes, the client will not be able to log on.
System events — Events that trigger a log entry in this category include system startups and shutdowns; system time changes; system event resources exhaustion, such as when an event log is filled and can no longer append entries; security log cleaning; or any event that affects system security or the security log.
In the Default Domain Controllers GPO, this setting is set to log successes by default.
Policy change events — By default, this policy is set to audit successes in the Default Domain Controllers GPO.
Policy change audit log entries are triggered by events such as user rights assignment changes, establishment or removal of trust relationships, IPSec policy agent changes, and grants or removals of system access privileges.
Account management events — This policy setting is set to audit successes in the Default Domain Controllers GPO. This setting triggers an event that is written based on changes to account properties and group properties.
Log entries written due to this policy setting reflect events related to user or group account creation, deletion, renaming, enabling, or disabling.
A separate Group Policy category that can allow files to be available to users, even when the users are disconnected from the network.
The Offline Files feature works well with Folder Redirection: When Offline Files is enabled, users can access necessary files as if they were connected to the network.
When the network connection is restored, changes made to any documents are updated to the server.
Folders can be configured so that either all files or only selected files within the folder are available for offline use. When it is combined with Folder Redirection, users have the benefits of being able to redirect files to a network location and still have access to the files when the network connection is not present.