Skip navigation

JSI Tip 0551 - Ordinary users can create local groups on your PDC.

An ordinary users can create local groups on your PDC. This functionality allows then to assign permissions to more easily manage access to their shared resources. The Sales Manager could create a local Sales group and place users and global groups in it. They can then assign permissions to the local Sales group. To do this, they would:

net localgroup groupname \["UserName1" "UserName2" "GlobalGroup1" ...\] /add /comment:"text" /domain

To subsequently add additional users or groups they would:

net localgroup groupname "UserName3" "SalesDom\UserName4" "GlobalGroup2" /add /domain

To remove users or global groups:

net localgroup groupname "UserName2" "SalesDom\UserName4" /delete /domain

and to remove the local group:

net localgroup groupname /delete /domain

If you are attacked by repeated submissions, you can use KB article Q140380 to compact your SAM after you have manually deleted the unwanted groups. Use method three,

If you wish to disable a users ability to add local groups to the domain, download creatals_x86.exe or creatals_axp.exe.

The default Microsoft Windows NT user rights allow non-administrative users to create domain local groups. The CREATALS command line utility is used to modify the DOMAIN_CREATE_ALIAS rights on the domain. This utility applies to Windows NT 4.0 and previous versions on Windows NT and will not be required or supported in future releases.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.