Disabling Creation of Local Groups on a Domain by Non-Administrative Users

The default Microsoft® Windows NT® user rights allow non-administrative users to create domain local groups. Domain local groups reside only on the Domain Controllers, which share a single security account manager (SAM).

Issue

The ability for non-administrative users to create aliases on the domain could be abused if they create a large number of local groups in the domain and cause the size of the account database to grow without restrictions. Unlimited local group creation could crash the domain controller and lead to excessive network traffic due to the replication of local group information to backup domain controllers.

Affected Products

• Windows NT Server 3.1, 3.5, 3.51, and 4.0

Solution

Setting the auditing of "User and Group Management" from User Manager for Domains will produce an audit event when local groups are created in the domain. Users who abuse this feature by creating a large number of groups can be identified in this manner and appropriate administrative actions can be taken. A utility to change this designed behavior can be obtained from the Microsoft web site. This tool can be used to modify the default behavior and restrict the creation of local groups to administrative users.

Download

Patch: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/CREATALS_x86.exe

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: March 24, 1999

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<