A limitation of Active Directory that I have always found to be extremely aggravating is the Password and Account lockout policy.
You could only set one for the domain..any other policy defined at the OU level would be applied to local accounts only.
How many times did I wish I could set a different password policy for service accounts ! I had to decide between relying on people to use good service account passwords or forcing end-users to use insane passwords. So we had to trust the people creating the service accounts..
Different departments requiring different policies for auditing purposes were also a reason to setup a separate domain. That means at least two new servers, more management time..ew!
In 2008, if you are running AD in Windows 2008 Native mode, you can now create PSOs (Password Settings Objects) and therefore apply different password policies to different security groups!
This is absolutely awesome and is a very good argument to migrate to 2008.
See this Technet article about Password Settings Objects/Fine-grained password policies , and use this great tool (PSOMgr from Joeware) to play with the settings, instead of using Adsiedit.
I wonder when Microsoft will have a nice interface to create these..
Oh yeah, and my other favorite reason is Read-Only DCs..let’s say they both rank as #1 reasons 
When hardening Windows servers through security templates or Group Policies, it is important to give the proper permissions to services. You might want to grant a helpdesk group the rights to stop, start and pause a service while not being able to change the parameters on the server, and most of all, without being a local admin of that server.
To do that, you create a new Group Policy, and under Computer configuration, you find the System Services section. Then you select your spooler service, you set its startup mode to automatic, and you specify the rights.
Now, the problem is that the default rights the GPMC console shows you is NOT aligned with the actual defaults of Windows !
Here you can see on the left, what GPMC is proposing. On the right, Default Windows 2003 settings.
Now, it is probably a very good thing to remove Power Users. The print spooler might be perfectly fine with what GPMC wants you to use + your own customizations.
However, it is very important to make sure that any service that depends on this service is able to read! For example, if only administrators can read the service, and you have a Fax server that depends on the Print Spooler , it will not be able to start unless the service account it uses is part of Administrators!
Just a thing to keep in mind when hardening a lot of services, or when troubleshooting service startup problems..
