v5.2.6,build711 (GA ) SSO_Guest_Users - traffic not match

Greetings to you

When I moved to 5.2.6 I faced this problem ! users not in domain it suppose appear as guest.

I configure FSSO - Agent installed in active directory, I can see users who on domain and that is fine , but users not in domain I can't see them and i want to control them by policy , As I know in version 5.0.6 I can control non-domain users by add this command in policy 

set ntlm enable

when I put policy SSO_Guest_Users in the top with source address for example 10.10.10.1/32 one pc

and other policy with source address (all) . it will not match the first policy , it will match the second policy ! and this is not what I want 

see this

and this is the config of policy of SSO_Guest_Users

policyid            : 7 uuid                : d6a1767e-d945-51e5-e2f6-26829bd4b44e srcintf:     == [ port16 ]     name: port16 dstintf:     == [ virtual-wan-link ]     name: virtual-wan-link srcaddr:     == [ PC_TEST_ ]     name: PC_TEST_ dstaddr:     == [ all ]     name: all rtp-nat             : disable action              : accept status              : enable schedule            : always schedule-timeout    : disable service:     == [ ALL ]     name: ALL utm-status          : enable logtraffic          : utm logtraffic-start    : disable capture-packet      : disable auto-asic-offload   : enable wanopt              : disable webcache            : disable session-ttl         : 0 vlan-cos-fwd        : 255 vlan-cos-rev        : 255 wccp                : disable ntlm                : enable ntlm-guest          : enable ntlm-enabled-browsers: fsso                : enable rsso                : disable fsso-agent-for-ntlm : groups:     == [ SSO_Guest_Users ]     name: SSO_Guest_Users users: devices: auth-path           : disable disclaimer          : disable natip               : 0.0.0.0 0.0.0.0 match-vip           : disable diffserv-forward    : disable diffserv-reverse    : disable tcp-mss-sender      : 0 tcp-mss-receiver    : 0 comments            : auth-cert           : auth-redirect-addr  : identity-based-route: block-notification  : disable custom-log-fields: tags: replacemsg-override-group: srcaddr-negate      : disable dstaddr-negate      : disable service-negate      : disable timeout-send-rst    : disable profile-type        : single av-profile          : webfilter-profile   : INTERNET LIMITED ACCESS USERS spamfilter-profile  : dlp-sensor          : ips-sensor          : application-list    : Block-social voip-profile        : icap-profile        : profile-protocol-options: default ssl-ssh-profile     : certificate-inspection traffic-shaper      : traffic-shaper-reverse: per-ip-shaper       : nat                 : enable permit-any-host     : disable permit-stun-host    : disable fixedport           : disable ippool              : disable central-nat         : disable redirect-url        :

any way one guy advice me to type this command in last policy (all)

        set srcaddr-negate enable

when I put this command it prevent other to access internet !!!!

Could you please help me ! sometimes I hate fortigate :(