All options always authenticate against the AD, no matter which configuration option you choose the module will always authenticate against the AD. passwords simply cannot be copied.
The option authenticate, does authenticate only nothing is being passed back from the ad. The module assumes a user exists, it assumes the user name matches with AD, and simply passes the username and password to the AD.
"import users from AD" is an import that happens on a scheduled interval and creates the users prior to signup. This will still do the authentication against the AD, but does a lookup in the system.user table prior to authentication.
If you choose the import option you should also use the group mapping option. The group mapping allows you to evalutate the ldap user groups, and based on the AD group it belongs to it assigns the role. If you want to assign the same role to all users, you could choose the root domain and based on that group assign the common user role.