The ActiveDirectory authentication matches the mojoPortal user ID with the sAMAccountName field in active directory. The get_NativeObject() call is used to validate the SAMAccountName/entered password combination as a valid and active user in AD. So the authentication is actually happening at the user level, not the root user.
I hope that helps,
Jamie