How can I make sure that only Windows NT 4.0 domain administrators can create domain local groups?

By default, NT 4.0 gives all domain users the right to create domain local groups. However, users can exploit this permission to generate Denial of Service (DoS) attacks on a Windows domain controller (DC). Furthermore, having too many domain local groups can significantly increase the SAM database size and create excessive SAM replication network traffic.

The creatals.exe tool from the Microsoft Windows NT Server 4.0 Resource Kit Supplement 4 lets you modify the DOMAIN_CREATE_ALIAS user right so that only domain administrators can create domain local groups. You can download the tool from Microsoft's Web site (ftp://ftp.microsoft.com/bussys /winnt/winntpublic/reskit/nt40/i386
/creatals_ x86.exe).

To run the tool, you must be a domain administrator on the PDC. If you want to deny user Joe the right to create domain local groups, you'd type

creatals -dJoe

at the command prompt. To grant Joe the right to create domain local groups, type the command

creatals -gJoe

To grant only members of the Administrator and Account Operator groups the right to create domain local groups and remove the right for everyone else, you can use the -a switch:

creatals -a

To get an overview of all users who have the right to create domain local groups, use the -l switch:

creatals -l