|
Posted by Joe Richards [MVP] on May 25, 2006, 2:00 pm
Please log in for more thread options No, I have looked at the source code, it really isn't possible.
MSFT stopped WINS dev work sometime ago, the last real work was done in some DB
changes between NT4 and 2K (which is why you needed special DLLs in place if you
moved a DB from an NT4 machine to a 2K machine). Real serious delegation other
than read access wasn't looked into that I am aware.
Anyway, WINS itself is unauthenticated and insecure. The WINS admin stuff which
is a completely separate interface is what is authenticated and secured. You can
use tools such as nblookup or nmblookup to look at the records and if you look
carefully through the SAMBA stuff you will find pieces that will modify info
including adding/deleting records, etc. This isn't anything MSFT really made
available because obviously there are some issues there.
You have the same thing with non-secured DNS now but there are tools readily
available to do these modifications such as nsupdate which is a reason why MSFT
was so keen on offering secured DDNS.
In general, I don't see the point in letting folks muck with WINS, it tends to
take care of itself pretty well when admins stop fudging with it. I ran one of
the larger single centralized WINS infrastructures in the world handling
hundreds of thousands of machines and there were 3 people with rights to make
changes and that was more than enough. What exactly is it that you think you
need to give people the ability to do?
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Nobloz wrote:
> It's a pitty that we don't know how. I still think it must be possible but...
> It's a good idea moving the wins server to a member server. But have a
> server running only for wins is a little overhead for small companies. But it
> is better
> then give them the AD permissions.
>
> Thanks sofar.
>
> Greetz,
>
> Nobloz
>
> "Steven L Umbach" wrote:
>
>> As Joe said you can't. What you might want to consider is to move WINS to a
>> non domain controller and then you might feel better about adding the users
>> to the local administrators group for that server which gives them no
>> special powers in the domain other than disruption by messing up WINS
>> records and configuration. --- Steve
>>
>>
>>> Hi,
>>> I want to make a Global / Local groep like WINS Users (when WINS is
>>> instaled
>>> on a DC W2K3), but then that they have Full Permissins on WINS.
>>> On the moment I need to give Administators permissions, and we don't want
>>> that.
>>> Any Idea where I can set this permission (delegation)
>>>
>>> Greetz,
>>>
>>> Nobloz
>>>
>>
>>
| 
XML Sitemap