domain controller security policy... just dont get it

i have a server 2003 machine running as a domain controller; it is also a
file server. this server is the only domain controller, and no network
clients are actually joined to the domain, they are all in separate
workgroups. i have created a share on the server and given "everyone" full
access on both the share permissions tab, and the ntfs security tab for the
folder. i then enabled the guest account in AD on the server. with this
configuration, all network clients, regardless of the workgroup theyre in,
and regardless of what local username theyre logged on to their computer
with, can access the share with no problems. heres the part i dont get: lets
say one of the users is logged on to their local computer using the username
joemama, with password 12345. if an account named joemama also exisits in AD
on the server, and the passwords dont match, the user is denied access, and
is instead prompted with a log on box. to try and fix this i changed the
"domain controller security policy, local policies, security options" to
say: "network access: sharing and security model for local accounts": "guest
only: local users authenticate as guest".

but this still doesnt work. users are prompted if their local account name
also exists in AD on the server. why is this??? should all users be
authenticating as guest now, regardless of their account name? i even tried
enabling "let everyone permissions apply to anonymous users" with no luck.
can someone please give me a definitive explanation to this behavior and
tell me how ti "fix" it. and no, these workgroup users can not join the
domain, its not an option. thank you.

The behavior you are seeing is due to the fact that on a DC, the only
accounts database which exists is that of Active Directory. So for the AD
joemama account (lol, btw), make it's password match that of the joemama
account on local workstation sitting in the workgroup. After you do this,
try further testing it with the guest account enabled, and then disabled.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.

right... but thats not my problem. im aware that if i create matching
accounts it will work fine. what i want is for users to authenticate via the
AD guest account regardless of whether or not they have a matching AD/local
account name and password. this doesnt seem to be happening.

IF they do NOT have an AD account that matches their local account, the
shares open right up (obviously theyre authenticating as the AD guest
account).

if the DO have an AD account that matches their local account, then they do
NOT authenticate via the AD guest account because if the AD/local account
passwords do not match, they can not get to the shares. so what is going on?
im TELLING the server to authenticate users as guest and its still not
working





"Todd J Heron" <(E-Mail Removed)> wrote in message
news:OLFgW%(E-Mail Removed)...
> The behavior you are seeing is due to the fact that on a DC, the only
> accounts database which exists is that of Active Directory. So for the AD
> joemama account (lol, btw), make it's password match that of the joemama
> account on local workstation sitting in the workgroup. After you do this,
> try further testing it with the guest account enabled, and then disabled.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights.
>

>what i want is for users to authenticate via the AD guest account
>regardless of whether or not they have a matching AD/local account name and
>password. this doesnt seem to be happening.

Right. Since you're not concerned about security implications of all this,
go into Active Directory on the server, drill into the Builtin folder and
then open up the Guests global group, then click the members tab. Add
'Domain Users' to this group. Then try it again.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.