Shulou(Shulou.com)06/01 Report--

Today, I would like to talk to you about the solution to the failure of being unable to log in if the group policy is not set improperly. Many people may not know much about it. In order to make you understand better, the editor summed up the following for you. I hope you can get something from this article.

What if the group policy is sometimes incorrectly set up so that the administrator cannot log in? The details are as follows.

In WINMAG magazine, the author saw that in the domain environment, if the group policy is not set properly, the everyone group or administrator group is set in the policy of denying local login, which makes the administrator unable to log in, but the premise seems to be in the domain environment, through the release of the priority policy on the DC to replace the original policy, so as to achieve the purpose of solving the problem, then how to solve this kind of problem in the case of peer-to-peer network or stand-alone? If it can be solved under a single machine, I think there is no need to distinguish whether it is a domain environment, it can also be said to be a general method. Let's take a look at the author's specific truth process. (this lab is all done on a virtual machine, the disk format is NTFS and the system is XP. )

The first thing to declare is that in a stand-alone environment, if it is not allowed to directly add "everyone" or "administrator" to the group policy's deny local login, the following prompt will appear:

Figure 1: system rejects prompt when adding "everyone" group

Microsoft seems to realize that users can make such low-level mistakes, but it is a pity that this feature only detects "everyone" or administrators, but does not check the members of other groups. If a group contains everyone or administrators, the system is allowed to pass, thus causing the problem. In the experimental environment, the author created a new SLE group with "everyone" as the group member, as shown in the figure:

Figure 2: create a new group "sle" that contains members of the "everyone" group

After confirming, run "Group Policy" again, and add "SLE" group to "reject local users". The system does not give any prompt and passes completely, as shown in the figure:

Figure 3: adding a "everyone" group containing members of the "sle" group in denying local login

Then restart the system, as expected, when the author logged in with "administrator", the system gave an error prompt:

Figure 4: system refuses to log in

Obviously, if it is in a stand-alone environment, there is no way to think about it, but to transfer. The author first starts with the installation CD of XP, selects repair, enters the administrator password, and enters the console. Because the group policy does not work under the console, he will not refuse to log in, as shown in the figure:

Figure 5: enter the console

Change the current directory to "c:\ windows\ system32", and then copy "cmd.exe" to another directory. The author copies it to the root directory of disk C, then renames "cmd.exe" to "logon.scr", and then re-copies the "logon.scr" renamed from "cmd.exe" to "c:\ windows\ system32". The system prompts: "do you want to rewrite logon.scr?" , select "Yes" and * * enter "exit" to exit and restart.

Figure 6: change "cmd.exe" to "logon.scr" and overwrite the original file

When starting to the login screen, please do not touch the keyboard and mouse. After a while, the system will start the screensaver of "logon.scr". However, since the author has previously changed "cmd.exe" to "logon.scr", this time it is not a screensaver, but a "cmd.exe", as shown in the figure:

Figure 7: the system starts "logon.scr" renamed from "cmd.exe"

Next, it is convenient to start the group policy by typing "gpedit.msc":

Figure 8: running Group Policy

Then the author goes to "user Rights assignment" and double-click "deny local login":

Figure 9: delete the sle that contains the member everyone group

Delete the group "sle" that the author added that contains "everyone". Confirm to exit, and then enter the password of the administrator account in the login screen to log in successfully!

This method mainly uses the loophole that the system automatically starts "logon.scr" to solve the problem if the keyboard and mouse are not moved for a long time in the login interface. Now the author simulates the environment under the condition of knowing the administrator's password, and it doesn't matter if you don't know the password. As long as you start XP with the installation CD of 2K PRO, you don't have to enter the password to enter the console (another security loophole). This method can not only solve the problem of improper group policy setting in the stand-alone environment, but also crack the administrator password of the system, including DC. Hope that Microsoft's next system-Longhorn can avoid such problems and make the system more secure!

Improper group policy settings can not log in to the troubleshooting method. I hope it will be helpful to the reader.

After reading the above, do you have any further understanding of the solution to the failure of being unable to log in if the group policy is not set properly? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.