使用 GPO 禁用 Windows 锁定?

使用 GPO 禁用 Windows 锁定?

我已经建立了一个拥有多台 Windows Server 2012 R2 计算机的实验室。该实验室有一个 Active Directory 域(DFL:Windows Server 2012 R2,FFL:Windows Server 2012 R2),这些计算机已加入该域。

默认情况下,如果无人看管,这些 Windows 机器将自动锁定。我不希望机器自动锁定。由于这是一个独立的实验室,我对机器保持解锁状态没有任何安全顾虑。

我创建了一个组策略对象,设置了许多配置,但机器仍然锁定。我已验证 GPO 已应用于机器。

GPO 配置以下设置:

  • 计算机配置\策略\Windows 设置\本地策略/安全选项\Microsoft 网络服务器\Microsoft 网络服务器:暂停会话前所需的空闲时间:0 分钟
  • 用户配置\策略\管理模板\控制面板/个性化\启用屏幕保护程序:已禁用
  • 用户配置\策略\管理模板\控制面板/个性化\密码保护屏幕保护程序:已禁用
  • 用户配置\策略\管理模板\控制面板/个性化\屏幕超时:0 秒
  • 用户配置\策略\管理模板\系统/电源管理\从休眠/挂起恢复时提示输入密码:已禁用

我研究了几个小时,但还没有找到任何有效的方法。还有其他设置可以控制此行为吗?

编辑:gpresult /v 的输出:

C:\Windows\system32>gpresult /v

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2013 Microsoft Corporation. All rights reserved.

Created on 9/24/2014 at 9:44:02 AM


RSOP data for CONTOSO\user01 on SERVER01 : Logging Mode
----------------------------------------------------------------

OS Configuration:            Member Server
OS Version:                  6.3.9600
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\user01
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=SERVER01,OU=SPSSearch,OU=Projects,DC=CONTOSO,DC=NET
    Last time Group Policy was applied: 9/24/2014 at 9:03:08 AM
    Group Policy was applied from:      DC01.CONTOSO.NET
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CONTOSO
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Don't lock workstation
        Password Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        SERVER01$
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level

    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Password Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  4294967295

            GPO: Password Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  30

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Password Policy
                Policy:            PasswordHistorySize
                Computer Setting:  N/A

            GPO: Password Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  N/A

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Password Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            LSAAnonymousNameLookup
                Computer Setting:  Not Enabled

            GPO: Don't lock workstation
                Policy:            @wsecedit.dll,-59042
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
                Computer Setting:  -1

            GPO: Default Domain Policy
                Policy:            @wsecedit.dll,-59058
                ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
                Computer Setting:  1

            N/A

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
    CN=SharePoint Setup Account,OU=SPSSearch,OU=Projects,DC=CONTOSO,DC=NET
    Last time Group Policy was applied: 9/24/2014 at 9:03:39 AM
    Group Policy was applied from:      DC01.CONTOSO.NET
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CONTOSO
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Don't lock workstation

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Authentication authority asserted identity
        High Mandatory Level

    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Change the time zone
        Create symbolic links
        Increase a process working set

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Don't lock workstation
                Folder Id: Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume
                State:       disabled

            GPO: Don't lock workstation
                Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
                Value:       48, 0, 0, 0
                State:       Enabled

            GPO: Don't lock workstation
                Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive
                Value:       48, 0, 0, 0
                State:       Enabled

            GPO: Don't lock workstation
                Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut
                Value:       48, 0, 0, 0
                State:       Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A

答案1

根据@joeqwerty 检查电源管理设置的建议,我创建了一个新的电源计划,其设置如下:

  • 显示 -> 关闭显示 -> 使用电池 (分钟):0
  • 显示 -> 关闭显示 -> 插入电源后 (分钟):0

我将其设置为活动电源计划,并应用了 GPO。25 分钟后,机器不再自动锁定。

以下是创建它的完整步骤:

  1. 组策略管理编辑器,编辑目标 GPO
  2. 计算机配置\首选项\控制面板设置\电源选项
  3. 在右侧窗格中,右键单击并选择新的->电源计划(至少 Windows 7)
  4. 在高级设置选项卡中,选择创造行动
  5. 输入新计划名称(例如“不锁定”)
  6. 选择设置为活动电源计划
  7. 扩张展示->关闭显示
  8. 改变电池供电(分钟)0
  9. 改变插入(分钟)0
  10. 点击申请好的
  11. 将 GPO 应用到目标计算机

答案2

由于问题出在 KIOSK 锁定上,我修改了之前的计划,但我仍然希望节省电力。

根据@nucrash 检查电源管理设置的建议,我创建了一个新的电源计划,其设置如下:

Additional Settings -> Require a Password -> On Battery: No
Additional Settings -> Require a Password -> Plugged in : No

我将其设置为活动电源计划,并应用了 GPO。机器不再自动锁定。

以下是创建它的完整步骤:

In Group Policy Management Editor, edit the target GPO
Go to Computer Configuration\Preferences\Control Panel Settings\Power Options
In the right pane, right click and select New -> Power Plan (At least Windows 7)
In the Advanced settings tab, select the Create action
Enter a new plan name (e.g. "Don't lock")
Select Set as the active power plan
Expand Additional Settings -> Require a Password on wakeup
Change On battery to No
Change Plugged in to No
Click Apply, OK
Apply the GPO to the target machine(s)

相关内容