active-directory – GPO无法应用;原因:无法访问,空闲或已禁用;
我有一个 Windows Server 2012 R2域. 昨天,一台计算机(运行Windows 10 Pro)网络驱动器停止工作. 进一步调查(gpresult / h)后,似乎所有组策略对象都失败,原因是无法访问,空或禁用. 我已确认所有GPO仍然存在并在两个(冗余和本地)域控制器上启用.此外,同一域和局域网上还有20台其他机器完全没有问题. 但是,我测试的另一台计算机出现了同样的问题!这是否意味着服务器存在问题? gpresult / r报告一个客户端从本地DC1获取GPO,另一个客户端从DC2获取GPO.因此,这不是与特定DC相关的问题. gpupdate / force什么都没有修复(虽然声称已经应用了政策). 我尝试删除本地策略的注册表项(遵循本指南https://superuser.com/questions/379908/how-to-clear-or-remove-domain-applied-group-policy-settings-after-leaving-the-do)并重新启动 – 同样的问题. 我从Microsoft(https://support.microsoft.com/en-us/kb/2976965)找到了此支持页面,但它声称它仅适用于Windows 7或更早版本的客户端. 我的所有机器(服务器和客户端)都运行64位版本并完全更新.我已经重启所有这些只是为了确定. 检查补丁joeqwerty链接 too.有重要的细节: 已知的问题 MS16-072更改用于检索用户组策略的安全上下文.这种按设计的行为更改可以保护客户的计算机免受安全漏洞的影响.在安装MS16-072之前,使用用户的安全上下文检索用户组策略.安装MS16-072后,将使用计算机安全上下文检索用户组策略.此问题适用于以下知识库文章: > 3159398 MS16-072:组安全更新说明 症状 所有用户组策略(包括已在用户帐户或安全组上进行安全筛选的用户组策略)或两者都可能无法应用于已加入域的计算机. 原因 如果组策略对象缺少Authenticated Users组的读取权限,或者您正在使用安全筛选并且缺少域计算机组的读取权限,则可能会出现此问题. 解析度 要解决此问题,请使用组策略管理控制台(GPMC.MSC)并执行以下步骤之一: – 使用组上的“读取权限”添加Authenticated Users组 请参阅此链接Deploy MS16-072,其中解释了所有内容并提供了修复受影响的GPO的脚本.该脚本将Authenticated用户的读取权限添加到所有没有经过身份验证的用户权限的GPO. # Copyright (C) Microsoft Corporation. All rights reserved. $osver = [System.Environment]::OSVersion.Version $win7 = New-Object System.Version 6,1,7601,0 if($osver -lt $win7) { Write-Error "OS Version is not compatible for this script. Please run on Windows 7 or above" return } Try { Import-Module GroupPolicy } Catch { Write-Error "GP Management tools may not be installed on this machine. Script cannot run" return } $arrgpo = New-Object System.Collections.ArrayList foreach ($loopGPO in Get-GPO -All) { if ($loopGPO.User.Enabled) { $AuthPermissionsExists = Get-GPPermissions -Guid $loopGPO.Id -All | Select-Object -ExpandProperty Trustee | ? {$_.Name -eq "Authenticated Users"} If (!$AuthPermissionsExists) { $arrgpo.Add($loopGPO) | Out-Null } } } if($arrgpo.Count -eq 0) { echo "All Group Policy Objects grant access to 'Authenticated Users'" return } else { Write-Warning "The following Group Policy Objects do not grant any permissions to the 'Authenticated Users' group:" foreach ($loopGPO in $arrgpo) { write-host "'$($loopgpo.DisplayName)'" } } $title = "Adjust GPO Permissions" $message = "The Group Policy Objects (GPOs) listed above do not have the Authenticated Users group added with any permissions. Group policies may fail to apply if the computer attempting to list the GPOs required to download does not have Read Permissions. Would you like to adjust the GPO permissions by adding Authenticated Users group Read permissions?" $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes",` "Adds Authenticated Users group to all user GPOs which don't have 'Read' permissions" $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No",` "No Action will be taken. Some Group Policies may fail to apply" $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes,$no) $result = $host.ui.PromptForChoice($title,$message,$options,0) $appliedgroup = $null switch ($result) { 0 {$appliedgroup = "Authenticated Users"} 1 {$appliedgroup = $null} } If($appliedgroup) { foreach($loopgpo in $arrgpo) { write-host "Adding 'Read' permissions for '$appliedgroup' to the GPO '$($loopgpo.DisplayName)'." Set-GPPermissions -Guid $loopgpo.Id -TargetName $appliedgroup -TargetType group -PermissionLevel GpoRead | Out-Null } } 如果您设置域计算机的读取权限(就像我一样)而非经过身份验证的用户只需将此{0 appliedgroup =“Authenticated Users”}更改为0 {$appliedgroup =“Domain Computers”} (编辑:ASP站长网) |