3.1.1.8.2 Bind Proxies
An AD LDS bind proxy is an object that represents a security principal of the underlying operating system; it is not a security principal itself. A bind proxy object does not contain a password.
If at least one of the following statements applies to an object class within an AD LDS schema, then each instance of that object class functions as an AD LDS bind proxy:
The object class contains msDS-BindProxy as a static auxiliary class.
The object class contains a static auxiliary class that is a subclass of msDS-BindProxy.
The object class is a subclass of another object class that satisfies statement 1 or 2.
An AD LDS bind proxy object has these special properties and behavior:
Its objectSid is assigned during Add and is the SID of some Windows user in a security realm trusted by the machine running the AD LDS DC that performed the Add. For instance, if an AD LDS DC is running on a machine that is joined to an Active Directory domain D, then the objectSid of a bind proxy created by that DC can be a user within D or within the forest that contains D, or within any domain or forest trusted by D or the forest that contains D.
It can be a member of group objects in its AD LDS forest, subject to the limitations on inter-NC references specified in section 3.1.1.2.2.3, Referential Integrity.
It can be named in an LDAP bind; section 5.1.1.5 specifies the supported authentication mechanisms and protocols. If the bind succeeds, it creates a security context for the LDAP connection as specified in section 5.1.3.4.
It does not contain a password. Special processing is performed on update to its password attribute, as specified in section 3.1.1.5.3.3, except on Active Directory Application Mode (ADAM) RTW DCs.