Network access: Sharing and security model for local accounts

Network access: Sharing and security model for local accounts

This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource.

If this setting is set to Guest only, network logons that use local accounts are automatically mapped to the Guest account. By using the Guest model, you can have all users treated equally. All users authenticate as Guest, and they all receive the same level of access to a given resource, which can be either Read-only or Modify.

Default on domain computers: Classic.
Default on stand-alone computers: Guest only

Important

With the Guest only model, any user who can access your computer over the network (including anonymous Internet users) can access your shared resources. You must use the Windows Firewall or another similar device to protect your computer from unauthorized access. Similarly, with the Classic model, local accounts must be password protected; otherwise, those user accounts can be used by anyone to access shared system resources.

Note:

This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services. Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

This policy will have no impact on computers running Windows 2000.
When the computer is not joined to a domain, this setting also modifies the Sharing and Security tabs in Windows Explorer to correspond to the sharing and security model that is being used.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Security Options

Comments: 

Important: This setting only affects computers running Windows XP Professional which are not joined to a domain. This policy will have no impact on computers running Windows 2000. For more information, search for "Security Setting Descriptions" in the Win

Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 

MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest

Reboot required: 

No

Related content