疑難排解軟體限制原則Troubleshoot Software Restriction Policies

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題描述常見問題和他們方案時進行疑難排解與 Windows Server 2008 和 Windows Vista 軟體限制原則 (SRP) 開始。This topic describes common problems and their solutions when troubleshooting Software Restriction Policies (SRP) beginning with Windows Server 2008 and Windows Vista.

簡介Introduction

軟體限制原則 (SRP) 是群組原則的功能辨識中加入網域的電腦上執行的軟體程式,以及控制執行這些程式的能力。Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. 您可以使用軟體限制原則來建立高度限制的電腦,您可讓只專門辨識應用程式執行設定。You use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. 這些整合在一起 Microsoft Active Directory Domain Services 及群組原則,但是您也可以在獨立的電腦上設定。These are integrated with Microsoft Active Directory Domain Services and Group Policy but can also be configured on stand-alone computers. 如需 SRP 的詳細資訊,請查看軟體限制原則For more information about SRP, see the Software Restriction Policies.

開始使用 Windows Server:Beginning with Windows Server???? 2008 R2 和 Windows 7:2008 R2 and Windows 7???? Windows AppLocker 可用於而不是或 SRP 搭配您的應用程式控制項策略的一部分。, Windows AppLocker can be used instead of or in concert with SRP for a portion of your application control strategy.

Windows 無法開放程式Windows cannot open a program

使用者收到訊息,指出「因為它軟體限制原則,不讓 Windows 無法開放此程式。Users receive a message that says "Windows cannot open this program because it has been prevented by a software restriction policy. 如需詳細資訊,開放事件檢視器或連絡您的系統管理員」For more information, open Event Viewer or contact your system administrator." 或者,在命令列中,郵件標示為「系統無法執行指定的計畫」。Or, on the command line, a message says "The system cannot execute the specified program."

原因:預設的安全性等級(或規則),以設定的軟體程式建立不允許],並不會因此開始]。Cause: The default security level (or a rule) was created so that the software program is set as Disallowed, and as a result it will not start.

方案:的訊息深入描述事件木頭中的外觀。Solution: Look in the event log for an in-depth description of the message. 事件登入訊息指出哪些軟體程式設定為不允許]並哪些規則適用於「計畫。The event log message indicates what software program is set as Disallowed and what rule is applied to the program.

已修改的軟體限制原則不會拍攝效果Modified software restriction policies are not taking effect

原因:軟體限制原則網域透過群組原則中所指定覆寫本機上設定的原則設定。Cause: Software restriction policies that are specified in a domain through Group Policy override any policy settings that are configured locally. 這可能表示就會覆寫您的原則設定的網域原則設定。This might imply that there is a policy setting from the domain that is overriding your policy setting.

原因:群組原則可能無法更新的原則設定。Cause: Group Policy might not have refreshed its policy settings. 群組原則變更套原則設定定期;因此,則可能的 directory 中所做的變更原則不尚未已經更新。Group Policy applies changes to policy settings periodically; therefore, it is likely that the policy changes that were made in the directory have not yet been refreshed.

方案:Solutions:

  1. 必須可以連絡網域控制站在電腦,您可以修改軟體限制原則的網路。The computer on which you modify software restriction policies for the network must be able to contact a domain controller. 請確定電腦,可以連絡網域控制站。Ensure the computer can contact a domain controller.

  2. 重新整理原則網路使用登入,然後再登入網路一次。Refresh policy by logging off of the network and then logging on to the network again. 如果任何原則透過群組原則、登入步驟可重新整理那些原則。If any policy is applied through Group Policy, logging back in will refresh those policies.

  3. 您可以重新整理原則設定的命令列的公用程式 gpupdate 或登出,然後再登入您的電腦。You can refresh policy settings with the command-line utility gpupdate or by logging off from and then logging back on to your computer. 最好執行 gpupdate,再從登出並重新登入您的電腦。For best results, run gpupdate, and then log off from and log back on to your computer. 一般而言的安全性設定的重新整理工作站或伺服器每 90 分鐘的網域控制站在每個 5 分鐘時間。Generally, the security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. 設定也會重新整理每個 16 小時的時間,或有任何變更。The settings are also refreshed every 16 hours, whether or not there are any changes. 這些是可設定的設定,因此每個網域中重新整理間隔可能會不同。These are configurable settings so refresh intervals might be different in each domain.

  4. 檢查適用的原則。Check which policies apply. 檢查網域層級原則適用於不覆寫設定。Check domain level policies for No Override settings.

  5. 透過群組原則網域中指定的軟體限制原則覆寫本機上設定的任何原則。Software restriction policies that are specified in a domain through Group Policy override any policies that are configured locally. 使用 Gpresult 命令列工具來判斷效果原則的網路功能。Use Gpresult command-line tool to determine what the net effect of the policy is. 這可能表示就會覆寫您的本機設定的網域原則。This might imply that there is a policy from the domain that is overriding your local setting.

  6. 如果在同一個 GPO SRP 和 AppLocker 原則設定,AppLocker 設定將會優先在 Windows 7、Windows Server 2008 R2 上及更新版本。If SRP and AppLocker policy settings are in the same GPO, AppLocker settings will take precedence on Windows 7 , Windows Server 2008 R2 , and later. 建議您在不同 Gpo 放 SRP 和 AppLocker 原則設定。It is recommended to put SRP and AppLocker policy settings in different GPOs.

新增透過 SRP 規則之後, 您無法登入您的電腦After adding a rule through SRP, you cannot log on to your computer

原因:您的電腦存取許多程式及檔案時,它會開始。Cause: Your computer accesses many programs and files when it starts. 您可能會無意設定其中一個程式或檔案,以不允許]You might have inadvertently set one of these programs or files to Disallowed. 因為程式或檔案,也無法存取電腦,它無法運作開始。Because the computer cannot access the program or file, it cannot start properly.

方案:電腦處於安全模式本機系統管理員身分登入,然後變更 [允許的程式或檔案執行的軟體限制原則。Solution: Start the computer in Safe Mode, log on as a local administrator, and then change software restriction policies to allow the program or file to run.

新的原則設定不會套用到特定的檔案名稱擴充功能A new policy setting is not applying to a specific file name extension

原因:副檔名不在清單中支援的檔案類型。Cause: The filename extension is not in the list of supported file types.

方案:副檔名新增到清單的 SRP 支援的檔案類型。Solution: Add the filename extension to the list of file types supported by SRP.

軟體限制原則地址規範未知或受信任的程式碼的問題。Software restriction policies address the problem of regulating unknown or untrusted code. 軟體限制原則是以找出軟體,以及控制能力的本機電腦,在 [網站、網域或組織單位上執行的安全性設定,可以透過 GPO 實作。Software restriction policies are security settings to identify software and control its ability to run on a local computer, in a site, domain, or OU and can be implemented through a GPO.

不會如預期般限制預設規則A default rule is not restricting as expected

原因:的套用順序特定,可能會導致預設規則覆寫特定規則。Cause: Rules which are applied in a particular order which can cause default rules to be overridden by specific rules. SRP 適下列順序(最特定一般)中的規則:SRP applies rules in the following order (most specific to general):

  1. Hash 規則Hash rules

  2. 憑證規則Certificate rules

  3. 路徑規則Path rules

  4. 網際網路區規則Internet Zone rules

  5. 預設規則Default rules

方案:評估規則限制該應用程式,如果適用,移除預設規則以外的所有。Solution: Evaluate the rules restricting the application and, if appropriate, remove all but the Default rule.

無法探索套用的限制Unable to discover which restrictions are applied

原因:未預期的行為,不能發揮原因,以便所需的調查 GPO 重新整理已不解決的問題。Cause: There is no apparent cause for the unexpected behavior, and GPO refresh has not solved the issue so further investigation is necessary.

方案:Solutions:

  1. 調查系統事件登入的來源進行篩選。軟體限制原則。:Investigate the System Event Log, filtering on source of ???????Software Restriction Policy.?????? 項目明確陳述實作每個應用程式規則。The entries explicitly state which rule is implemented for each application.

  2. 支援進階登入。Enable advanced logging. 查看判斷允許拒絕清單和應用程式清單軟體限制原則的如需詳細資訊。See Determine Allow-Deny List and Application Inventory for Software Restriction Policies for more information.