The Application_AuthenticateRequest event in the global.asax.cs is the event where users would be automatically created. This event fires the first time the user requests a page that is secured by roles.
I think in Web.config you would need to set <authentication mode="Windows"...
When using Windows authentication, we never store the user's windows password in the db at all, maybe we generate a random password and put it in the db but it is never used because the user never has to login to the site, he only has to log in to the windows machine or domain.
Hope it helps,