Stopping A Domain User From Creating Local Groups On A Domain

Article translations Article translations
Article ID: 169556 - View products that this article applies to.
This article was previously published under Q169556
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

SYMPTOMS

The default user rights in Windows NT allow any domain user to create domain local groups (these reside only on the Domain Controllers, which share a single security account manager (SAM)).

CAUSE

The default protection access controls on the Windows NT domain allows everyone the right to create local groups on the domain controller. The access right on the domain object is known as DOMAIN_CREATE_ALIAS.

The ability for normal users to create local groups on a server is documented in the Windows NT Server Concepts and Planning manual. This ability was provided to allow users to better control access to resources owned by the user. For example, a user who wants to grant access to files owned by the user and stored on a network server can create a local group in the domain and add users to that group. Then they can set the access controls on the files or directories based on the local group object, which is much more desirable than having to set access controls based on individual users. When a user creates a local group, only that user, or the Domain Administrators can modify membership to that group, or delete that group. The ability for everyone to create aliases on the domain could potentially be abused by creating a large number of local groups in the domain and causing the size of the account database to grow unrestricted.

RESOLUTION

Setting the auditing of User And Group Management from User Manager for Domains enables you to track who creates local groups in the domain. Users that abuse this by creating a large number of groups can be identified in this manner and appropriate actions taken.

A utility to change this default behavior is available in the Windows NT Resource Kit. The utility is called CREATALS.EXE. This utility can be used to change the default behavior and restrict the creation of local groups to administrative users.

You can download this utility from the Resource Kit FTP update site:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/CREATALS_x86.exe
or
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/alpha/CREATALS

Properties

Article ID: 169556 - Last Review: October 7, 2013 - Revision: 1.1
APPLIES TO
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
Keywords: 
kbnosurvey kbarchive KB169556

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com