Account Policies - the account policies for the member server control the password policies and account lockout policies for all user accounts stored in the Local SAM. It is a best practice to ensure that the account policies meet or exceed the account policies established for the domain user accounts, which is configured on the domain controllers. By default member servers will have the same account policies as domain controllers, but it is very easy to modify this using a Group Policy Object (GPO).
User Accounts - there is always one user account active on each member server by default, which is the Administrator account. This account needs to be protected at all costs. If an attacker gains control of the server as this account, there is nothing that the attacker can’t do or access. Some best practice settings for protecting this account include: renaming it, not using it for anything but recovering the server, establishing a complex password/passphrase, and disabling it. All of these options are available through a GPO, except for establishing a complex password/passphrase. However, with tools like PolicyMaker (www.desktopstandard.com/policymaker), the password can be set using a GPO setting.
Groups - each member server comes with a suite of local groups. Some groups provide elevated privileges to perform administrative tasks on the server. These groups should be protected and configured properly, to ensure that only the proper users have membership in these groups. There is a GPO setting called “Restricted Groups,” which can control the membership in existing groups, as shown in Figure 1.
Figure 1: Restricted Groups controls the membership in existing groups on a member server
Again, PolicyMaker takes the control of local groups to a new level, allowing for the finite control of the members of the group, including a filter option to target only specific member servers.
http://www.windowsecurity.com/articles/Securing-Windows-Member-Servers.html
