How can I make sure that only Windows NT 4.0 domain administrators can create domain local groups?
By default, NT 4.0 gives all domain users the right to create domain local groups. However, users can exploit this permission to generate Denial of Service (DoS) attacks on a Windows domain controller (DC). Furthermore, having too many domain local groups can significantly increase the SAM database size and create excessive SAM replication network traffic.
The creatals.exe tool from the Microsoft Windows NT Server 4.0 Resource Kit Supplement 4 lets you modify the DOMAIN_CREATE_ALIAS user right so that only domain administrators can create domain local groups. You can download the tool from Microsoft's Web site (ftp://ftp.microsoft.com/bussys /winnt/winntpublic/reskit/nt40/i386
To run the tool, you must be a domain administrator on the PDC. If you want to deny user Joe the right to create domain local groups, you'd type
at the command prompt. To grant Joe the right to create domain local groups, type the command
To grant only members of the Administrator and Account Operator groups the right to create domain local groups and remove the right for everyone else, you can use the -a switch:
To get an overview of all users who have the right to create domain local groups, use the -l switch: