Disabling Creation of Local Groups On A Domain by

Title:	Disabling Creation of Local Groups On A Domain by
Date Issued:	June 1, 1998
Last Modified:	June 1, 1998
Code:	MS98-001
Source:	Microsoft
Microsoft Security Bulletin (MS98-001)



Disabling Creation of Local Groups on a Domain by
Non-Administrative Users 

Last revision: June 1, 1998 

Summary
The default Microsoft® Windows NT® user rights allow
non-administrative users to create domain local groups. Domain
local groups reside only on the Domain Controllers, which share
a single security account manager (SAM). 

Issue
The ability for non-administrative users to create aliases on the
domain could be abused if they create a large number of local
groups in the domain and cause the size of the account
database to grow unrestricted. Unlimited local group creation
could crash the domain controller and lead to excessive network
traffic due to the replication of local group information to
backup domain controllers. 

Affected Software Versions
Windows NT Server 3.1, 3.5, 3.51 and 4.0 

More Information
The default protection access controls on the Windows NT
domain allow all users the right to create local groups on the
domain controller. The access right on the domain object is
known as DOMAIN_CREATE_ALIAS. 

The ability for non-administrative users to create local groups
on a server is documented in the Windows NT Server Concepts
and Planning manual. This capability allows users to better
control access to resources owned by the user. For example, a
user who wants to grant access to files owned by the user and
stored on a network server can create a local group in the
domain and add users to that group. Then the user allows other
users access to his or her files and directories by granting
access to the local group object, which is much more desirable
than having to set access controls based on individual users. 

When a user creates a local group, only that user or an
administrator can modify membership to that group, or delete
that group. 

Please see Microsoft Knowledge Base article Q169556 for more
information, including the availability on
http://www.microsoft.com of a tool to change this default
behavior. 

What Microsoft Is Doing
Microsoft is distributing this bulletin to increase awareness of
this feature and its implications when abused by an authorized
user. 

A utility to change this designed behavior can be obtained free
of charge from Microsoft Technical Support (see
http://www.microsoft.com/support for contact information).
This utility can be used to change the default behavior and
restrict the creation of local groups to administrative users. 

Microsoft will make this tool available for download from the
microsoft.com Web site shortly. Please see Microsoft Knowledge
Base article Q169556 for information about downloading this
software when it becomes available. 

What Customers Should Do
Setting the auditing of "User and Group Management" from User
Manager for Domains will produce an audit event when local
groups are created in the domain. Users who abuse this by
creating a large number of groups can be identified in this
manner and appropriate administrative actions can be taken. 

A utility to change this designed behavior can be obtained from
Microsoft Technical Support. This tool can be used to modify
the default behavior and restrict the creation of local groups to
administrative users. Customers who are affected by this right
now can obtain this utility from Microsoft Technical Support. 

Other References
Microsoft Knowledge Base article Q161990,
http://support.microsoft.com/support/kb/articles/q161/9/90.asp

Revisions
June 1, 1998: Bulletin Created 

For additional information on security issues at Microsoft, please
visit www.microsoft.com/security. 

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE
BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR
IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL
DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. 

                            
          © 1998 Microsoft and/or its suppliers. All rights reserved. 
    For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.