The Password Replication Policy (PRP) indicates which user credentials will be cached on the Read Only Domain Controller (RODC) based on Windows Server 2008 o Windows 2008 R2. This is necessary when we have delegations in our company and we want to put an RODC in the delegations with the functions that we are interested in and also allows users to authenticate in these DCs and the authentication process is faster since no traffic is generated by the WAN with this type of traffic.

To make it easier to manage which users we want to cache on the RODCs and which we don't, We have two groups in our domain that will help us:
Grupo de replicación de contraseña RODC permitida o Allowed RODC Password Replication Group: By default this group has no members and all the ones we add to this list will be cached on our RODCs to be able to authenticate them directly from the RODCs.
Grupo de replicación de contraseña RODC denegada o Denied RODC Password Replication Group: We will add to this group the users/groups that we do not want to cache their credentials, by default belong to this group: Domain administrators, Schema Administrators, Organization Administrators, Domain Controllers, Read-only domain controllers, Group Policy Creator Owners and Certificate Publishers.

If we go to the RODC server, to your properties in your Active Directory account, we have the “Password replication policy” to also configure from here or to view existing settings. If we go to the “Advanced options…”

We have a couple of tabs “Using Policies” and “Resulting Directive”, where we will be able to see the users who have already authenticated to this server, or the accounts that we have already cached on this RODC server, or we can cache certain user accounts from here (forced).