我在更改 Windows Server 2008+ 操作系统中的执行策略时遇到问题.这是我第一次尝试运行需要完全访问资源的脚本,并在 提升模式 下启动 Powershell 后尝试以下操作:
I have a problem regarding changing the Execution Policy in my Windows Server 2008+ OS. It is the first time I try to run a script for which I need resource full access and I try the following after starting Powershell in elevated mode:
Set-ExecutionPolicy Unrestricted但我明白了:
Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information please see "Get-Help Set-ExecutionPolicy". At line:1 char:1 + Set-ExecutionPolicy Unrestricted + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand虽然我是管理员,但我无法更改执行策略.该怎么办?
Though I am Administrator, I cannot change the Execution Policy. What to do?
推荐答案该错误消息表明您尝试通过 Set-ExecutionPolicy 定义的设置被另一个范围中的设置覆盖.使用 Get-ExecutionPolicy -List 查看哪个范围具有哪个设置.
The error message indicates that the setting you're trying to define via Set-ExecutionPolicy is overridden by a setting in another scope. Use Get-ExecutionPolicy -List to see which scope has which setting.
PS C:\> Get-ExecutionPolicy -List Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser Undefined LocalMachine RemoteSigned PS C:\> Set-ExecutionPolicy Restricted -Scope Process -Force PS C:\> Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of Restricted. Type "Get-ExecutionPolicy -List" to view your execution policy settings. ... PS C:\> Get-ExecutionPolicy -List Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Restricted CurrentUser Unrestricted LocalMachine RemoteSigned PS C:\> .\test.ps1 .\test.ps1 : File C:\test.ps1 cannot be loaded because running scripts is disabled on this system. ... PS C:\> Set-ExecutionPolicy Unestricted -Scope Process -Force PS C:\> Set-ExecutionPolicy Restricted -Scope CurrentUser -Force Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of Restricted. Type "Get-ExecutionPolicy -List" to view your execution policy settings. ... PS C:\> Get-ExecutionPolicy -List Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Unrestricted CurrentUser Restricted LocalMachine RemoteSigned PS C:\> .\test.ps1 Hello World!如您所见,尽管存在错误,但仍定义了两个设置,但更具体范围 (Process) 中的设置仍具有优先权,无论是阻止还是允许脚本执行.
As you can see, both settings were defined despite the error, but the setting in the more specific scope (Process) still takes precedence, either preventing or allowing script execution.
由于默认范围是 LocalMachine,错误可能是由 CurrentUser 或 Process 范围中的设置引起的.但是,更常见的原因是脚本执行是通过组策略(本地或域)配置的.
Since the default scope is LocalMachine the error could be caused by a setting in the CurrentUser or Process scope. However, a more common reason is that script execution was configured via a group policy (either local or domain).
本地管理员可以通过 gpedit.msc(本地组策略编辑器)修改本地组策略,如 这个答案.
A local group policy can be modified by a local administrator via gpedit.msc (Local Group Policy Editor) as described in this answer.
域组策略不能被本地设置/策略取代,必须由域管理员通过域控制器上的 gpmc.msc(组策略管理)进行更改.
A domain group policy cannot be superseded by local settings/policies and must be changed by a domain admin via gpmc.msc (Group Policy Management) on a domain controller.
对于本地和域策略,可以将设置定义为计算机设置:
For both local and domain policies the setting can be defined as a computer setting:
Computer Configuration `-Administrative Templates `-Windows Components `-Windows PowerShell -> Turn on Script Execution或作为用户设置:
User Configuration `-Administrative Templates `-Windows Components `-Windows PowerShell -> Turn on Script Execution前者适用于计算机对象,而后者适用于用户对象.对于本地策略,用户策略和计算机策略之间没有显着差异,因为用户策略会自动应用于计算机上的所有用户.
The former are applied to computer objects, whereas the latter are applied to user objects. For local polices there is no significant difference between user and computer policies, because user policies are automatically applied to all users on the computer.
策略可以具有三种状态中的一种(如果单独计算可用于状态 Enabled 的 3 种设置,则为五种状态):
A policy can have one of three states (or five states if you count the 3 settings available for the state Enabled separately):
- 未配置:策略不控制 PowerShell 脚本的执行.
- 已启用:允许 PowerShell 脚本执行.
- 只允许签名脚本:只允许执行签名脚本(与 Set-ExecutionPolicy AllSigned 相同).
- 允许本地脚本和远程签名脚本:允许从远程位置执行所有本地脚本(已签名或未签名)和已签名脚本(与 Set-ExecutionPolicy RemoteSigned 相同)).
- 允许所有脚本:允许执行本地和远程脚本,无论它们是否已签名(与 Set-ExecutionPolicy Unrestricted 相同).
- Not Configured: policy does not control PowerShell script execution.
- Enabled: allow PowerShell script execution.
- Allow only signed scripts: allow execution of signed scripts only (same as Set-ExecutionPolicy AllSigned).
- Allow local scripts and remote signed scripts: allow execution of all local scripts (signed or not) and of signed scripts from remote locations (same as Set-ExecutionPolicy RemoteSigned).
- Allow all scripts: allow execution of local and remote scripts regardless of whether they're signed or not (same as Set-ExecutionPolicy Unrestricted).
通过 Set-ExecutionPolicy 进行的更改仅在本地和域策略设置为 Not Configured(范围内的执行策略 UndefinedMachinePolicy 和 UserPolicy).
Changes made via Set-ExecutionPolicy only become effective when local and domain policies are set to Not Configured (execution policy Undefined in the scopes MachinePolicy and UserPolicy).
更多推荐
如何成功更改执行策略并启用 PowerShell 脚本的执行
发布评论