我已经建立了一个拥有多台 Windows Server 2012 R2 计算机的实验室。该实验室有一个 Active Directory 域(DFL:Windows Server 2012 R2,FFL:Windows Server 2012 R2),这些计算机已加入该域。
默认情况下,如果无人看管,这些 Windows 机器将自动锁定。我不希望机器自动锁定。由于这是一个独立的实验室,我对机器保持解锁状态没有任何安全顾虑。
我创建了一个组策略对象,设置了许多配置,但机器仍然锁定。我已验证 GPO 已应用于机器。
GPO 配置以下设置:
- 计算机配置\策略\Windows 设置\本地策略/安全选项\Microsoft 网络服务器\Microsoft 网络服务器:暂停会话前所需的空闲时间:0 分钟
- 用户配置\策略\管理模板\控制面板/个性化\启用屏幕保护程序:已禁用
- 用户配置\策略\管理模板\控制面板/个性化\密码保护屏幕保护程序:已禁用
- 用户配置\策略\管理模板\控制面板/个性化\屏幕超时:0 秒
- 用户配置\策略\管理模板\系统/电源管理\从休眠/挂起恢复时提示输入密码:已禁用
我研究了几个小时,但还没有找到任何有效的方法。还有其他设置可以控制此行为吗?
编辑:gpresult /v 的输出:
C:\Windows\system32>gpresult /v
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2013 Microsoft Corporation. All rights reserved.
Created on 9/24/2014 at 9:44:02 AM
RSOP data for CONTOSO\user01 on SERVER01 : Logging Mode
----------------------------------------------------------------
OS Configuration: Member Server
OS Version: 6.3.9600
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\user01
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=SERVER01,OU=SPSSearch,OU=Projects,DC=CONTOSO,DC=NET
Last time Group Policy was applied: 9/24/2014 at 9:03:08 AM
Group Policy was applied from: DC01.CONTOSO.NET
Group Policy slow link threshold: 500 kbps
Domain Name: CONTOSO
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
Don't lock workstation
Password Policy
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
SERVER01$
Domain Computers
Authentication authority asserted identity
System Mandatory Level
Resultant Set Of Policies for Computer
---------------------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Password Policy
Policy: MaximumPasswordAge
Computer Setting: 4294967295
GPO: Password Policy
Policy: MinimumPasswordAge
Computer Setting: 30
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: N/A
GPO: Password Policy
Policy: PasswordHistorySize
Computer Setting: N/A
GPO: Password Policy
Policy: MinimumPasswordLength
Computer Setting: N/A
Audit Policy
------------
N/A
User Rights
-----------
N/A
Security Options
----------------
GPO: Password Policy
Policy: PasswordComplexity
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: LSAAnonymousNameLookup
Computer Setting: Not Enabled
GPO: Don't lock workstation
Policy: @wsecedit.dll,-59042
ValueName: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
Computer Setting: -1
GPO: Default Domain Policy
Policy: @wsecedit.dll,-59058
ValueName: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
Computer Setting: 1
N/A
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=SharePoint Setup Account,OU=SPSSearch,OU=Projects,DC=CONTOSO,DC=NET
Last time Group Policy was applied: 9/24/2014 at 9:03:39 AM
Group Policy was applied from: DC01.CONTOSO.NET
Group Policy slow link threshold: 500 kbps
Domain Name: CONTOSO
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
Don't lock workstation
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Authentication authority asserted identity
High Mandatory Level
The user has the following security privileges
----------------------------------------------
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Increase a process working set
Resultant Set Of Policies for User
-----------------------------------
Software Installations
----------------------
N/A
Logon Scripts
-------------
N/A
Logoff Scripts
--------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
GPO: Don't lock workstation
Folder Id: Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume
State: disabled
GPO: Don't lock workstation
Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
Value: 48, 0, 0, 0
State: Enabled
GPO: Don't lock workstation
Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive
Value: 48, 0, 0, 0
State: Enabled
GPO: Don't lock workstation
Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut
Value: 48, 0, 0, 0
State: Enabled
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
----------------------------------------
N/A
Internet Explorer Connection
----------------------------
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
答案1
根据@joeqwerty 检查电源管理设置的建议,我创建了一个新的电源计划,其设置如下:
- 显示 -> 关闭显示 -> 使用电池 (分钟):0
- 显示 -> 关闭显示 -> 插入电源后 (分钟):0
我将其设置为活动电源计划,并应用了 GPO。25 分钟后,机器不再自动锁定。
以下是创建它的完整步骤:
- 在组策略管理编辑器,编辑目标 GPO
- 去计算机配置\首选项\控制面板设置\电源选项
- 在右侧窗格中,右键单击并选择新的->电源计划(至少 Windows 7)
- 在高级设置选项卡中,选择创造行动
- 输入新计划名称(例如“不锁定”)
- 选择设置为活动电源计划
- 扩张展示->关闭显示
- 改变电池供电(分钟)到0
- 改变插入(分钟)到0
- 点击申请,好的
- 将 GPO 应用到目标计算机
答案2
由于问题出在 KIOSK 锁定上,我修改了之前的计划,但我仍然希望节省电力。
根据@nucrash 检查电源管理设置的建议,我创建了一个新的电源计划,其设置如下:
Additional Settings -> Require a Password -> On Battery: No
Additional Settings -> Require a Password -> Plugged in : No
我将其设置为活动电源计划,并应用了 GPO。机器不再自动锁定。
以下是创建它的完整步骤:
In Group Policy Management Editor, edit the target GPO
Go to Computer Configuration\Preferences\Control Panel Settings\Power Options
In the right pane, right click and select New -> Power Plan (At least Windows 7)
In the Advanced settings tab, select the Create action
Enter a new plan name (e.g. "Don't lock")
Select Set as the active power plan
Expand Additional Settings -> Require a Password on wakeup
Change On battery to No
Change Plugged in to No
Click Apply, OK
Apply the GPO to the target machine(s)