windows 作为机器管理员,我可以覆盖组策略设置吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1830910/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can I override a group policy setting as a machine admin?
提问by Max
Group policy prevents several configuration settings on my Windows 7 / Vista machines. Since my domain account is a member of the local Administrators group on these boxes, is there still a way to override them locally?
组策略阻止了我的 Windows 7 / Vista 机器上的几个配置设置。由于我的域帐户是这些盒子上本地管理员组的成员,是否还有办法在本地覆盖它们?
For instance, GP prevents changing the power management option "Turn off the display" (even changing it from cmd fails: POWERCFG -X -monitor-timeout-ac 60 => "An unexpected error condition has occurred. Unable to perform operation. You may not have permission to perform this operation.")
例如,GP 阻止更改电源管理选项“关闭显示器”(即使从 cmd 更改它也会失败:POWERCFG -X -monitor-timeout-ac 60 =>“发生意外错误情况。无法执行操作。您可能无权执行此操作。”)
Even when logging on with a local account and not the domain account, it's not possible to change the setting anymore ..
即使使用本地帐户而不是域帐户登录,也无法再更改设置..
回答by ewall
While @bnkdev is correct, there are ways around it, of course.
虽然@bnkdev 是正确的,但当然有办法解决。
For example, since you have admin rights, you can change the permissions on the specific policy-related Registry keys (e.g. HKLM\SOFTWARE\Policies\Microsoft...) such that the SYSTEM account cannot change them (deny write), but you still can.
例如,由于您拥有管理员权限,您可以更改与特定策略相关的注册表项(例如 HKLM\SOFTWARE\Policies\Microsoft...)的权限,以便 SYSTEM 帐户无法更改它们(拒绝写入),但您还可以。
Also, it's been a while, but I have used a little program called KillPol.exe (see this blog postfor info and possible download), which will allow you to override the GPO settings at least temporarily. (Note, however, I don't know if or how well it works on Vista & Win7, which have very different implementations of the Registry.)
此外,它已经有一段时间了,但我使用了一个名为 KillPol.exe 的小程序(有关信息和可能的下载,请参阅此博客文章),它允许您至少暂时覆盖 GPO 设置。(但是,请注意,我不知道它在 Vista 和 Win7 上是否或如何工作,它们的注册表实现方式非常不同。)
回答by Ta01
Group Policy always trumps local policy.
组策略总是胜过本地策略。
