As I understand it, when a user tries to log in, the system checks to see if they are authenticated to the domain and if they are, then a user is created for them in Kentico.
It is correct. To the user is automatically added flag UserIsExternal, so the system knows that the user is authenticated to the domain.
Now if the user's account exists in the CMS
as well, the administrator can give him additional permissions (IsEditor, etc....)
Is there any way to control this behavior? It may become a problem if a lot of people on the domain try to log in and end up creating a bunch of accounts.
You can create user's accounts in advance using ID Import tool
The users that are created are marked as domain accounts so they are only authenticated against the domain correct?
It is correct.