在 AD 中,我创建了一个新的 OU 并将我的用户名移到该 OU 中,以便我可以使用自己的域用户帐户进行测试。
然后,我创建了一个新的 GPO 并启用了以下内容:
Computer Configuration > Policies > Administrative Templates > Windows Components > Store > Turn off the Store application = Enabled
我进入本地计算机,将其连接到域,使用域登录详细信息登录,以管理员身份加载 CMD 并输入
gpupdate
它显示以下输出:
C:\Windows>gpupdate
Updating policy...
Computer Policy update has completed successfully.
The following warnings were encountered during computer policy processing:
The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
User Policy update has completed successfully.
For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
C:\Windows>
我尝试加载 Microsoft Store,但它仍然加载。
然后我尝试了以下命令:
gpupdate /force
显示的输出如下:
C:\Windows>gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
The following warnings were encountered during computer policy processing:
The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
User Policy update has completed successfully.
For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Certain Computer policies are enabled that can only run during startup.
OK to restart? (Y/N)Y
Restarting the computer...
..
C:\Windows>
计算机重启后,它仍会加载 Microsoft Store。
我已经检查了 GPReport.html,没有看到任何关于禁用 Microsoft Store 的 GPO 提及。
知道为什么这不起作用吗?
环境详情:
域上的客户端计算机:
- Windows 10 企业版(连接到域的桌面客户端计算机)
在域服务器上:
- Exchange 2013
- Active Directory 6.3.9xx
答案1
在 AD 中,我创建了一个新的 OU 并将我的用户名移到该 OU 中,以便我可以使用自己的域用户帐户进行测试。
您不能将计算机设置 GPO 链接到用户帐户,而必须将其链接到计算机帐户。
我已经检查了 GPReport.html,没有看到任何关于禁用 Microsoft Store 的 GPO 提及。
因此,GPResult 不显示链接的 GPO,这是正常的。
确保将 GPO 强制实施到计算机帐户要应用设置的正确 OU。
对我来说,这是一个简单的错误。为什么?因为如果是安全组错误或 WMI 过滤器,GPO 将在 GPResult 中列出,但会出现访问被拒绝错误。
答案2
我不确定为什么它不起作用,但我的 AD 环境由 Win 10 Pro 机器组成,我想完成同样的事情。我最终不得不利用软件限制策略。
Computer Config>Windows Settings>Software Restriction Policies>Additional Rules
然后添加以下内容:
%programfiles%\WindowsApps\Microsoft.WindowsStore*
安全级别设置为“不允许”
GPO 设置阻止商店、XBOX、Skype、Windows Mail 的图片
最终结果:
希望这可以帮助 :)