I have a network containing a mixed collection of Windows domain and workgroup computers.
Currently, the workgroup computers can access file/folder shares hosted on domain computers if the user provides valid domain credentials when connecting. I need to make this impossible.
Is there a way to enforce a requirement that the client computers are members of the domain before granting them access to domain network shares?
The domain controller is running Windows Server 2016 Standard.
I had a similar situation a few years ago and I remember the solution was to block the computers with the firewall. I don't remember if I would deny access to certain addresses/ranges [when coming in on port 445] or grant access to certain addresses/ranges and deny all others. But I do remember that I did it with the firewall, not permissions or policies. So, take a look at the firewall, if you play around with it a little bit you should be able to make it work.
What you want is called 'Domain Isolation' It is a bit complex to implement.
Key element of domain isolation is a set of connection security rules in the Windows firewall, distributed by GPO that enforce domain members to authenticate before accepting connections. My advise is to first experiment in a lab: it is easy to have 'to much isolation' and end up with a domain or machines that cannot be used at all. I've been there, in a lab fortunately...
There's a lot of information on domain isolation. You can start reading here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example
