Users Group Member Can Add New Users in Windows XP (310753)

SUMMARY

When a member of the Users group tries to use the Users and Passwords tool in Control Panel in Windows XP, the user is prompted for the Administrator password:

You must be a member of the Administrators group on the computer to open the Users and Passwords control panel. You are logged in as Machine_name\User_name, which is not a member of the Administrators group.

Specify the user name and password of an Administrator on this computer to continue:
User name:
Password:

You can change your password without opening the Users and Passwords control panel by pressing CRTL-ALT-DEL and selecting Change Password.

However, the Administrator account and password are ignored if the user runs the Administrative Tools tool in Control Panel. The user can gain access to the Computer Management tool and the Local Users and Groups subtree it contains. When the user gains access, a member of the Users group can add a new user to the computer. The user can also change the password for the created account. Members of the Users group cannot promote the new user to the Administrators group, nor can they change another account's password.

MORE INFORMATION

This behavior is the default configuration in Windows XP. To disable this functionality, revoke the "NT Authority\Authenticated Users" security principal from the Power Users group:

Log on to the Windows-based computer using an account with administrator rights.
Click Start, and then click Control Panel.
Double-click Administrative Tools, and then double-click Computer Management.
Double-click Local Users and Groups, and then click the Groups folder.
In the right pane, double-click Power Users.
Click NT AUTHORTY\INTERACTIVE, and then click Remove.
Click OK.