Allow workgroup users local accounts to authenticate with 2012 domain

Just replaced the 2003 server with a new 2012 Essentials server.  Created a new domain and int he active directory users, created an account that matches the local users on the workgroup systems.

When trying to access the SMB share it prompts for the username and password.  I recall there was a setting in the group policy to basiclly ignore the domain.  I do not want everyone connecting with guest rights where 2 users do have NTFS file permissions on some sub folders.

Please help.  Any thing is appreciated.
Bryan PivikAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CotillionCommented:
So you're saying you setup a domain, but didn't join any of the computers to it?

Is there a reason why you don't want the computers on the domain?
1
yo_beeDirector of Information TechnologyCommented:
Since you are on a workgroup computer you have not authenticated to domain yet. You need to authenticate against domain at least once before you can access a Share on the domain. When you are joined to a domain you are doing the initial authentication at logon. This is why you are prompted when you try to access to the domain share.
0
McKnifeCommented:
There's no such setting. Local users with the same name and pw cannot be used. Use domain users, migrate the profiles.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
If the workgroup name is the same as the domain name, it indeed works. without doing anything more.
But you cannot provide a (different) domain name automatically used. You need to supply it manually once after each reboot or login.
0
McKnifeCommented:
Qlemo, for me that does not work (win8.1). I remember, that back in the days of our NT4 domain, that did indeed work.
1
Bryan PivikAuthor Commented:
Thank you kindly for the fast responses.  I was able to figure out the issue.  Previously on the last question I asked I believe I was too verbose and was not as fast/great responses.  I understand I hate reading also.

The issue was the user names were renamed in the horrible rename feature in windows that misleads people into thinking that is their real user name for the network that is shown as the profile or on start menu.  Ultimately I found when double checking the systems credentials.  I was working on 2 workstations for the first machines to be flipped to the new server.  Threw me off where they were believed to be identical and were not authenticating.

Here is quick example of solution to maybe help others :)

User name in profile / start menu:    "ABC"       <------  What you think your username is

Network username submitted to server:    "Owner"   or to be more specific the machine is a part of that too like "YourPC\Owner" which is important format but NOT caps sensitive.

Why is it.  When you you create a new account the user name set first is what will be used forever for that account.  The issue comes with where it is easy for the person to rename the account which does not effect the network user name.

To check quickly if that is the case you can do one of the following:

Option 1:

1) click start menu and "Run".  Or hit "Windows Key" + "R"

2) In the run box, type  %username% and hit enter.

3) Window displayed says error of "Windows  cannot find 'YOUR-USER-NAME'. Make sure ..."

Option 2:

1) Open Windows Explorer and browse to C:\Users

2) In there you will see the following folders:
Public
Default       <---- If you have hidden folder on

The trick is the other folders in there are the actual network names for those user accounts.  Exclude any folders that have .NET, QBDataService, LogMeInUser, or other odd service accounts that actually made their own users behind the scenes to be used.

The other folders are the accounts that have been logged on the computer before.  Your existing user that you are trying to confirm is one of those other folders there.  You can browse in the folder and check like the desktop or documents folder to confirm that it is the right account.  

This method takes longer but give a better feel for with is on the system.

SOoooooo.  In this strange case where the home edition computer are in a mixed domain environment.  Everything works out great if you match the username on the work group computer to the server.  If the system in on the same network and not other security things have been changed on the server this should be fine out of the box.  Obviously not the standard practice or recommended.  Just I know that this method works to allows workgroup system to work with a domain controller.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bryan PivikAuthor Commented:
Just for the specifics to be clear.

Workstations are mixed:  Windows Vista (32/64), Window 7 Home/Pro, and Windows 8.1

Server 2012 Essentials    ( First time I used, I know this works with Server 2013 R2 Standard)

There were 1 policy that I changed on the server in Group Policy, but I only did in trouble shooting so I do not think it is required to be the functionality to work.

Run GPEDIT for the domain. Apply to both the controller and the default domain policy.

\Local Computer Policy\Windows Settings\Local Policies
      "Network Access:Sharing and security model for local accounts"  
<Set To>   Classic - Local Users Authenticate as themselves    (Default setting on new AD)  

\Local Computer Policy\Windows Settings\Local Policies
      "Network Access:Allow anonymous SID/Name translation"  
<Set To>   Enabled
0
Bryan PivikAuthor Commented:
Main point here is I have seen people "fix" the mixed office roles in very creative manners that are not nearly as secure or easy to work with later.

- Do not use the "Save Credentials" on the network map function in Explore.  This saves in the registry the credentials and Windows forgets or prompts the user to reconnect and they always answer wrong, then no more drive mapping.  Script is way to go.

- Do not include the user name and password in the Net Use statement in the local run scripts to map the drives.  IF you need to, then you are not being properly authenticated as mentioned above in my first solution comment.

- Do not modify the permission on the server GPO that allows all network users to authenticate as guests!  This breaks security in the office.  No longer are any of the files private anymore, so ANYONE on the network could browse the files.  Crazy yes I have seen this before!  That would only make sense if you have a dedicated server that is publicly facing so you would give like read permissions the share.   Thus, allowing access to download files and they can be modified locally on the server.  But would be absolutely crazy to set that way in an office sharing the server files for live production work.
0
Bryan PivikAuthor Commented:
Of course my solution does not allow for management or GPO of the workstations in this manner.  The passwords when needed to be changed MUST be updated on the server AND on the local workstation.  That is the biggest cost for an simple office that uses the server mainly as a strong NAS and print server only.  

I call this "Creative Management"   :)
0
Bryan PivikAuthor Commented:
Thank you for all the great help.  In this case I got on my own.  This was an odd setup where there is such a mixed unmanaged environment.  But that is what the client need for their budget and implementation time.  The method I have done works and I have done before in special cases.  Making sure to also script the network mapped drives and time sync to the file server is also important.  That script should run from the workstations at login.  

In this case I have not setup 2012 Essentials Server before so thought it was something different I was not aware of.  The old bag of trick worked here.

Simple Net.bat file at workgroup computer login example (don't use server name due to possible DNS issues or you know how):

Net Time \\ServerIPAddress /SET /Y
Net Use N: \\ServerIP /Y
0
Bryan PivikAuthor Commented:
Sorry Qlemo.  They helped but it was my resolution that worked.  Did not mean to confuse the system.  Hope my comments can help others.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.