Unbind the knot that rejects local Logon

From: Microsoft China Community

Directory
Preface
Solution to local login denied by Domain Policy
Solution to local login denied by Local Security Policy
Secedit Introduction
Additional instructions
References
About the author

--------------------------------------------------------------------------------

Preface
In Windows 2000, it is a headache to reject local logon by group policies. This article describes how to resolve a problem where all users are denied local logon.
In Windows, if a user is denied the local logon permission, when the user logs on to the computer, the system will prompt "the local policy of the system does not allow you to use interactive logon ", the logon fails. In this case, the administrator needs to reset the Group Policy to delete the user from the "Deny local Logon" list or add the user to the "local Logon" list. However, if the user's local logon permission is disabled due to operation errors or other reasons (the users group is usually disabled (in a non-Domain environment) or domain users Group (in the domain environment. This situation looks like an unrecoverable "deadlock": to revoke the Group Policy setting for disabling local logon, you must log on locally as an administrator. to log on locally as an administrator, you must first remove the Group Policy settings that prohibit local logon.
But in fact, things are not as bad as we think. After querying relevant information and testing, I found that with the help of the network, this "closed" can still be solved. Because the data storage mechanism of the domain security policy is different from that of the Local Security Policy, the following two cases are described respectively.

--------------------------------------------------------------------------------

Solution to local login denied by Domain Policy
The security settings of the Domain Policy are saved in a file named "GptTmpl. in the security template of inf, this is a text file stored in SYSVOL (physical directory pointing to c: winntsysvolsysvol) shared by DC (Domain Controller. To remove the local logon restrictions for all users, the quickest way is to directly edit the text file if you cannot log on locally.
The procedure is as follows:
On another computer (either Win9X/2000/XP), use the domain administrator account to connect to the SYSVOL share of DC, find the text file "GptTmpl" under "\ <DC name> sysvol <Domain name> Policies <policy GUID> MACHINEMicrosoftWindows NTSecEdit. inf ". (The "DC name" in the path is the name of the Domain controller where you place the Group Policy, and "Domain name" is the name of your Domain, "Policy GUID" is the GUID of the Group Policy object you want to edit, similar to "{31B2F340-016D-11D2-945F-05C04FB98439 }").
Use NotePad to open "GptTmpl. inf "file, find the" SeDenyInteractiveLogonRight "keyword in the" Privilege Rights "section of the file. Its value is the SID of the user or group that is denied local logon. Delete these SID, leave the value of the keyword "SeDenyInteractiveLogonRight" empty. After modification, save the file to its original location.
Use NotePad to open "GPT under" \ <DC name> sysvol <Domain name> Policies <policy GUID>. INI "file to increase the value of the" Version "keyword in the" General "section. Generally, it is increased by 1000. This is the version number of the policy object we modified. After the version number is increased, we can ensure that our changes are copied to other DC. After modification, save the file to its original location.
After the Domain Policy is refreshed, the problem is solved.
Log on to the local DC and reset related projects in the Domain Policy.

--------------------------------------------------------------------------------

Solution to local login denied by Local Security Policy
Because Windows does not support remote management of the security settings of local computer policies (for details, see the Group Policy White Paper ), in addition, the security settings of local security policies are usually stored in a binary security database secedit. in sdb, the structure of this secure database is unknown, so you can directly edit secedit as in the first part. the sdb file method is powerless. We need to adopt a roundabout attack strategy, "saving the nation by curve ".
The procedure is as follows:
Assume that the IP address of the faulty computer is "192.168.0.111 ". Run the "Telnet 192.168.0.111" command on another computer (Windows 9x/2000/XP) to connect to the faulty computer using the administrator account. (If the telnet service of the faulty computer is not started, you can use the "service" MMC to start it over the network. The specific method is not described in detail)
Run the "net share tmp $ = d: mp" command on the faulty computer via telnet to hide and share "d: mp" on the faulty computer as "tmp $ ", by default, the shared permission is fully controlled by everyone (pay special attention to network security ). You can also share other directories.
Execute "secedit/export/CFG d: mpsec. inf "command to import the Local Security Policy configuration of the faulty computer to" d: mpsec. inf "security template file, which is a text file.
Connect to the tmp $ share on the faulty computer and use NotePad to open the "sec. inf" file in the shared folder. Find the "SeDenyInteractiveLogonRight" keyword in the "Privilege Rights" section of the file. The value of this keyword is the SID of the user or group that is denied local logon. Delete the SID, set the value of the "SeDenyInteractiveLogonRight" keyword to null or set another irrelevant value. After the file is modified, save it to the original location.
Run "secedit/configure/db c: secedit. sdb/CFG d: mpsec. inf "command, use the new security template and security database to reconfigure the Local Security Policy of the faulty computer.
Execute the "secedit/refreshpolicy machine_policy/enforce" command on the faulty computer through telnet, and force policy settings to be refreshed on the faulty computer. The problem is solved.
After logging on to the faulty computer locally, delete the Tmp $ share we created and reset the related items in the Local Security Policy.

--------------------------------------------------------------------------------

Secedit Introduction
Secedit.exe is a Windows Automated Security Configuration Task Command Line tool with powerful functions. We can use it to analyze system security, configure system security, refresh security settings, export security settings, and verify the security configuration file. Use "secedit /? "View the Help file.

--------------------------------------------------------------------------------

Additional instructions
The two methods mentioned above are based on the premise that authorized users (such as administrators) are not prohibited from logging on from the network. If your policy disables logging on from the network, it is difficult to solve the faulty computer, but it is also not a "closed Knot ". The specific solution will be explained in another article, and I will not elaborate on it here.

--------------------------------------------------------------------------------

References
Reference 1: Microsoft KB database articles Q226243, Q257346, and Q267553.
Reference 2: microsoft msnews News news group microsoft. public. win2000.setup, security, and general.
Reference 3: Windows Chinese help.