Improper Group Policy setup, login failure troubleshooting

Group PolicyWhat can I do if the administrator cannot log in due to improper settings? The specific content is as follows.

In WINMAG magazine, the author saw a solution that, if the Group Policy is improperly set in the domain environment, the administrator cannot log on to the everyone group or administrator group in the deny local Logon Policy, however, the premise seems to be to replace the original policy with the release of the priority policy on the DC in the domain environment to solve the problem, so how can we solve this problem in the case of an equivalent network or a single machine? If it can be solved in a single machine, I don't need to tell whether it is a domain environment or a general method. Let's take a look at the actual process. This experiment is completed on virtual machines. The disk format is NTFS and the system is XP .)

The first thing to declare is that in a standalone environment, if "everyone" or "administrator" is not allowed to be directly added to the local login rejected by the Group Policy, the following prompt is displayed:

Figure 1: System rejection prompt when "everyone" group is added

It seems that Microsoft is aware that users can make such a low-level mistake, but it is regrettable that this function only checks "everyone" or administrators, and does not check members of other groups, if a group contains everyone or the administrator, the system is allowed to pass, which leads to the problem. In the experiment environment, the author creates a new group of systemic lupus erythematosus, the group members are "everyone ",

Figure 2: Create a group with members of "everyone"

After confirming, run the "Group Policy" and add the "SYSTEMIC" group to "Deny local users". The system did not give any prompt and passed the command completely,

Figure 3: Add a group named "SYSTEMIC" that contains members of the "everyone" group to deny local logon.

Then restart the system. As expected, when I log on to the system using "administrator", the system prompts an error:

Figure 4: System Login rejected

Obviously, in a single-host environment, there is no way to move it. I first start with the XP installation CD, select repair, enter the administrator password, and enter the console, because in the console, the Group Policy does not work, So login will not be refused,

Figure 5: Enter the Console

Switch the current directory to the "logon. "scr" is copied to "c: \ windows \ system32" again, and the system prompts: "You want to rewrite logon. scr? ", Select "Yes" and enter "exit" to exit the restart.

Figure 6: Change cmd.exe to "logon. scr" and overwrite the original file

",

Figure 7: the system starts the "logon. scr" renamed by cmd.exe"

Next, you can simply enter "gpedit. msc" to start the Group Policy:

Figure 8: Running Group Policy

Then, go to "User Rights Assignment" and double-click "Deny local login ":

Figure 9: deleting a group of Members from the everyone group

Delete the group "SYSTEMIC" that I added that contains "everyone. Log out, and then enter the password of the Administrator account in the logon screen. The logon is successful!

This method is mainly used in the login interface. If you do not move the keyboard or mouse for a long time, the system automatically starts the "logon. scr" vulnerability to solve the problem. Now the simulated environment is completed with the administrator password. If you do not know the password, it does not matter, as long as you use the 2 k pro installation CD to start XP, this method not only solves the problem of improper group policy setting in a single-host environment, but also cracks the administrator password of the system, including DC, I hope Microsoft's next system-Longhorn can avoid such problems and make the system more secure!

If the Group Policy is improperly set, you cannot log on to the fault to solve the problem. More knowledge about group policies needs to be learned by readers.