Guest Account Can Create Local Groups in Untrusted Domains (102562)


The information in this article applies to:

  • Microsoft Windows NT Server 3.1
  • Microsoft Windows NT Workstation 3.1
This article was previously published under Q102562

SUMMARY

Any user who can run User Manager for Domains on a Windows NT Advanced Server can create a local group for any untrusted domain in which the Guest account is enabled.

MORE INFORMATION

Any user who can run User Manager for Domains on a Windows NT Advanced Server can choose Select Domain from the User menu and enter any domain name. If that domain has the Guest account enabled, the New Local Group command on the User menu will not be dimmed (grayed out).

The user can then create a local group and add any accounts for the domain into the local group. However, although the group can be created, this group cannot be assigned permissions on the server because file access is not available. The user can also delete this local group because the user is the owner of the group.

Although the Delete, Rename, and Properties commands on the User menu are available, the user will receive an "Access Denied" message when he or she tries to use these commands.
Modification Type:MajorLast Reviewed:10/30/2003
Keywords:kbnetwork KB102562
©2003 Microsoft Corporation. All rights reserved.