OpenAFS:
Foreign users can bypass access controls to create groups as system:administrators, including in the user namespace and the system: namespace.