Microsoft KB Archive/169556

From BetaArchive Wiki
Knowledge Base

Stopping A Domain User From Creating Local Groups On A Domain

Article ID: 169556

Article Last Modified on 11/1/2006


  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 4.0 Standard Edition

This article was previously published under Q169556


The default user rights in Windows NT allow any domain user to create domain local groups (these reside only on the Domain Controllers, which share a single security account manager (SAM)).


The default protection access controls on the Windows NT domain allows everyone the right to create local groups on the domain controller. The access right on the domain object is known as DOMAIN_CREATE_ALIAS.

The ability for normal users to create local groups on a server is documented in the Windows NT Server Concepts and Planning manual. This ability was provided to allow users to better control access to resources owned by the user. For example, a user who wants to grant access to files owned by the user and stored on a network server can create a local group in the domain and add users to that group. Then they can set the access controls on the files or directories based on the local group object, which is much more desirable than having to set access controls based on individual users. When a user creates a local group, only that user, or the Domain Administrators can modify membership to that group, or delete that group. The ability for everyone to create aliases on the domain could potentially be abused by creating a large number of local groups in the domain and causing the size of the account database to grow unrestricted.


Setting the auditing of User And Group Management from User Manager for Domains enables you to track who creates local groups in the domain. Users that abuse this by creating a large number of groups can be identified in this manner and appropriate actions taken.

A utility to change this default behavior is available in the Windows NT Resource Kit. The utility is called CREATALS.EXE. This utility can be used to change the default behavior and restrict the creation of local groups to administrative users.

You can download this utility from the Resource Kit FTP update site:


Additional query words: 4.00 usrmgr sec hack localgroup NoWinNT5

Keywords: KB169556