Hello Alexander,
you wrote:
Security: While it would be possible to connect the NX or x2go server to the Windows Domain using PAM, keeping the two "worlds" seperate is a security benefit, since in the unlikely event that the Linux box gets hacked, the Windows Domain is not exposed to the attacker.
On the other hand, in the far more likely event your Windows Domain gets hacked, you have handed the attacker all the Unix passwords on a platter.
Well, I'll admit that I might be a little self-centric here, but in the usage scenario I have in mind, the Windows Domain has no Internet connection at all, except for the one server distributing the Windows Update packages - and even that one is limited to the Windows Update sites using a whitelist on a proxy server. So an attacker would have to be a rogue employee or someone else who gained physical access (fake janitor or whatever). The Linux box with NX/x2go, OTOH, is connected to the Internet.
Kind Regards, Stefan