5.1.3.4 AD LDS Security Context Construction

The construction of a Windows security context for an authenticated security principal in AD DS is specified in [MS-PAC] section 4.1.2.2.

After a successful authentication to an AD LDS DC, the DC constructs a security context for the authenticated security principal as follows:

1. Create an initial security context.

   • If the bind named an AD LDS user object, the initial security context contains only the objectSid of that object.

   • If the bind named an AD LDS bind proxy, or the SID of some Windows account, the initial security context is the context returned by the Windows login.

2. Extend the security context with well-known SIDs.

   • If the bind named an AD LDS user object or an AD LDS bind proxy object, add the following SIDs to the security context if not already present:

     1. Authenticated Users (section 6.1.1.2.6.2).

     2. Everyone (section 6.1.1.2.6.10).

     3. Users, for the NC containing the AD LDS object (section 6.1.1.4.13.3).

     4. Users, for the config NC of the forest containing the AD LDS object (section 6.1.1.4.13.3).

3. Extend the security context with AD LDS group memberships.

   • If a SID currently in the security context is a member of an AD LDS group on this DC, and that group is not already present in the context, add the SID of that group to the context. (The group membership is represented as a reference to an object whose objectSid equals the SID: either an AD LDS user, an AD LDS bind proxy, an AD LDS group, or a foreignSecurityPrincipal object.) Repeat until there are no more SIDs to add.