22.214.171.124 AD LDS Security Context Construction
Create an initial security context.
If the bind named an AD LDS bind proxy, or the SID of some Windows account, the initial security context is the context returned by the Windows login.
Extend the security context with well-known SIDs.
If the bind named an AD LDS user object or an AD LDS bind proxy object, add the following SIDs to the security context if not already present:
Authenticated Users (section 126.96.36.199.6.2).
Everyone (section 188.8.131.52.6.10).
Extend the security context with AD LDS group memberships.
If a SID currently in the security context is a member of an AD LDS group on this DC, and that group is not already present in the context, add the SID of that group to the context. (The group membership is represented as a reference to an object whose objectSid equals the SID: either an AD LDS user, an AD LDS bind proxy, an AD LDS group, or a foreignSecurityPrincipal object.) Repeat until there are no more SIDs to add.