CREATALS.EXE

The default Microsoft Windows NT user rights allow non-administrative users to create domain local groups. Domain local groups reside only on the Domain Controllers, which share a single security account manager (SAM). 

The ability for non-administrative users to create aliases on the domain could potentially be abused by creating a large number of local groups in domain and causing the size of the account database to grow unrestricted. Unlimited local group creation could result in the domain controller crashing, as well as excessive network traffic due to the replication of local group information to backup domain controllers. 

The CREATALS command line utility is used to modify the DOMAIN_CREATE_ALIAS rights on the domain.  This utility applies to Windows NT 4.0 and previous versions on Windows NT and will not be required or supported in future releases.

See Microsoft Knowledge Base Article Q169556 for more information.

Usage: CREATALS: [ -d<Account> | -g<Account> | -a | -r | - l]

Where -d<Account> Denies CreateAlias access to the specified account
        *** Note: Deny to administrators is not allowed
      -g<Account> Grants CreateAlias access to the specified account
      -l Lists the accounts that have CreateAlias access
      -a Restricts access to Admins/AccountOps only
      -r Resets the ACL to NT 4.0 default

    You can have as many arguments as you wish. This routine doesn't check
    for consistency in the arguments. It simply processes the arguments
    one at a time. Determine the required accesses carefully.


For most uses, you should simply use the -a or the -r option. However, using the -d and -g options allow for greater control, but require more diligence in determining the correct settings. 

The command must be run by the Domain Administrator on the Primary Domain Controller.