It comes from the NTFS security style qtree. UNIX users and permissions have no idea how to translate NTFS ACLs. The ACLs have users and groups that the UNIX side does not understand. Thus, when authenticating to the filer, ONTAP helps translate from UNIX semantics into NTFS semantics.
You don't create the Windows user; you use an existing AD user that is already on the NTFS style qtree's ACLs. You can see permissions from the filer with:
filer> fsecurity show /vol/volname/qtree
