Hi FolksI have an external "workgroup" and a domain. I would like to add these to my domain, but I am wondering if theres a way that they can see the shares without actually joining the domain. I can see the domain i want to see the shares in, but i cannt get any further then that. Also the workgroup PC has no name/pw authentication. could that be causing teh issue? or is the workgroup not goingto see the domain no matter what I do.I was also wondering if i they can be part of both, the workgroup and log in the domain when they want to.

You could use the trick which worked with W98 machines (which could not join a domain). The workgroup members need to have usernames with passwords. Make the workgroup name the same as the domain name. Set up domain accounts which match each workgroup user.When a workgroup user tries to access a shared file in the domain it will present its logon credentials (workgroup/username/password).They will be accepted because they match the domain/username/password entry in the domain account.Bill

Hi, <I am wondering if there is a way that they can see the shares without actually joining the domain.> Simply, the answer is yes. First, make sure the workstation computer can ping through the server where share folders reside. Second, make sure the shared folders on the server have NTFS permission and Sharing permission properly configured. Additionally, you have to look at the following Group Policy settings on the DC that the client is attempting to connect to because that is where the policy is restricting or allowing file access. 1) Check the local security policy by running secpol.msc on the domain member server 2) Double click Local Policy 3) Double click User Rights Assignment 4) Search for the following policies: "Access this computer from the network"The default settings for the "Access this computer from the network" policy is to allow: Administrators, Power Users, Users, Backup Operators, and the Everyone group. On "Deny access to this computer from the network" Remove the guest account 5)Set Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Additional restrictions for anonymous connections to "Do not allow enumeration on SAM accounts and shares" to disable. 6) Network access - let everyone permission apply to anonymous users - Made sure that it is enabled 7) Computer Configuration/Windows Settings/Security Settings/Local Policies/ Security Options/Network access: sharing and security model for local accounts If you enable 'only guest can access sharing', please make sure you enable Guest account on the client and server. Please also understand, in a domain based environments , access to the objects can perform by a TOKEN ACCESS LIST. Users obtain this token when they login to the Domain Controller. In this way, all communication between client and server are strongly encrypted. When a resource is not in domain, it would not be as secure as the domain does. <Also the workgroup PC has no name/pw authentication. could that be causing the issue?> Yes, it could cause the security issue. We suggest you at least use NFTS permission to grant some specific users to access the share resources. If everyone can access these shares without authentication, on one hand, it may lead to data loss due to users' manipulation; on the other hand, it exposes the shares for the non-authenticated users and may leak the business-critical information. Hope this helps. Best wishes --------------Morgan Che

Great! Thanks guys Im working on it now ill post how it turns out

I am concerned now. I re-read this post as I was going through the steps you mentioned. the last item "security issue" really concerns me. allowing anonymous user is not something I am comfortable with to say the least. I think I need to start making them log in on the work group, giving them user names and pw. These users are not advanced users by any means, and the rooms they use are limited access, so hands on security is okay. So, long story short the meat of the question: If I have them as a work group log in on the local workstation/workgroup, can another account be created to log into domain with out messing with the workgroup settings? This seems like an an obvious YES to me but I am not an advanced admin either as being the network admin assist is just one of my many jobs.