3.1.1.8.1 AD LDS Users

An AD LDS user object is a security principal object in AD LDS that contains a password.

If at least one of the following statements applies to an object class within an AD LDS schema, then each instance of that object class functions as an AD LDS user:

1. The object class contains msDS-BindableObject as a static auxiliary class.

2. The object class contains a static auxiliary class that is a subclass of msDS-BindableObject.

3. The object class is a subclass of another object class that satisfies statement 1 or 2.

An AD LDS user object has these special properties and behavior:

• Its objectSid is assigned during Add as specified in section 3.1.1.5.2.4.

• It can be a member of group objects in its AD LDS forest, subject to the limitations on inter-NC references specified in section 3.1.1.2.2.3, Referential Integrity.

• It can be named in an LDAP bind; section 5.1.1.5 specifies the supported authentication mechanisms and protocols. If the bind succeeds, it creates a security context for the LDAP connection as specified in section 5.1.3.4.

• Its password can both be assigned an initial value and updated. Special processing is performed on both the initial assignment and on update. Sections 3.1.1.5.2.2, 3.1.1.5.2.4, 3.1.1.5.3.1, 3.1.1.5.3.2, and 3.1.1.5.3.3 specify this processing.

• Its objectSid can be written into an AD LDS security descriptor, subject to restrictions specified in section 6.1.3.3.