我在更改Windows Server 2008操作系统中的执行策略时遇到问题。这是我第一次尝试运行我需要资源完全访问权限的脚本,并在升级模式下启动Powershell后尝试以下操作:
Set-ExecutionPolicy Unrestricted
但我明白了:
Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully,but the setting is overridden by a policy defined at a more specific scope. Due to the override,your shell will retain its current effective execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information please see "Get-Help Set-ExecutionPolicy". At line:1 char:1 + Set-ExecutionPolicy Unrestricted + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy],SecurityException + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand
虽然我是管理员,但我无法更改执行政策。该怎么办?
该错误消息表示您尝试通过Set-ExecutionPolicy定义的设置被另一个范围中的设置覆盖。使用Get-ExecutionPolicy -List查看哪个范围具有哪个设置。
PS C:\> Get-ExecutionPolicy -List Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser Undefined LocalMachine RemoteSigned PS C:\> Set-ExecutionPolicy Restricted -Scope Process -Force PS C:\> Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully,but the setting is overridden by a policy defined at a more specific scope. Due to the override,your shell will retain its current effective execution policy of Restricted. Type "Get-ExecutionPolicy -List" to view your execution policy settings. ... PS C:\> Get-ExecutionPolicy -List Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Restricted CurrentUser Unrestricted LocalMachine RemoteSigned PS C:\> .\test.ps1 .\test.ps1 : File C:\test.ps1 cannot be loaded because running scripts is disabled on this system. ... PS C:\> Set-ExecutionPolicy Unestricted -Scope Process -Force PS C:\> Set-ExecutionPolicy Restricted -Scope CurrentUser -Force Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully,your shell will retain its current effective execution policy of Restricted. Type "Get-ExecutionPolicy -List" to view your execution policy settings. ... PS C:\> Get-ExecutionPolicy -List Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Unrestricted CurrentUser Restricted LocalMachine RemoteSigned PS C:\> .\test.ps1 Hello World!
正如您所看到的,尽管存在错误,但两个设置都已定义,但更具体范围(Process)中的设置仍然优先,阻止或允许脚本执行。
由于默认范围是LocalMachine,因此错误可能是由CurrentUser或Process范围中的设置引起的。但是,更常见的原因是脚本执行是通过组策略(本地或域)配置的。
本地管理员可以通过gpedit.msc(本地组策略编辑器)修改本地组策略,如this answer中所述。
域组策略不能被本地设置/策略取代,并且必须由域管理员通过域控制器上的gpmc.msc(组策略管理)进行更改。
对于本地和域策略,可以将设置定义为计算机设置:
Computer Configuration `-Administrative Templates `-Windows Components `-Windows PowerShell -> Turn on Script Execution
或作为用户设置:
User Configuration `-Administrative Templates `-Windows Components `-Windows PowerShell -> Turn on Script Execution
前者适用于计算机对象,后者适用于用户对象。对于本地策略,用户和计算机策略之间没有显着差异,因为用户策略会自动应用于计算机上的所有用户。
策略可以具有三种状态之一(如果计算可用于单独启用状态的3种设置,则为五种状态):
>未配置:策略不控制PowerShell脚本执行。
>已启用:允许PowerShell脚本执行。
>仅允许签名脚本:仅允许执行签名脚本(与Set-ExecutionPolicy AllSigned相同)。
>允许本地脚本和远程签名脚本:允许从远程位置执行所有本地脚本(已签名或未签名)和签名脚本(与Set-ExecutionPolicy RemoteSigned相同)。
>允许所有脚本:允许执行本地和远程脚本,无论它们是否已签名(与Set-ExecutionPolicy Unrestricted相同)。
>已禁用:禁止PowerShell脚本执行(与Set-ExecutionPolicy Restricted相同)。
通过Set-ExecutionPolicy进行的更改仅在本地和域策略设置为“未配置”(执行策略未在范围MachinePolicy和UserPolicy中定义)时生效。