Solved

Powershell: set-execution policy override Allsigned

Posted on 2012-04-10
7
1,809 Views
Last Modified: 2012-06-21
All our computers have a group policy that enables allsigned.

Set-ExecutionPolicy -ExecutionPolicy AllSigned

Open in new window


I want to override this feature for my machine.  Whats the best way to achieve this?

 

Thanks
0
Comment
Question by:resolver1
7 Comments
 
LVL 7

Assisted Solution

by:BelushiLomax
BelushiLomax earned 166 total points
ID: 37828585
create a policy to apply only to you that sets:
Set-ExecutionPolicy Unrestricted
It all depends on your AD structure how the cleanest way to do that is, but you will need to undo the policy for yourself using this GPO closer to your Account than the other so it applies later.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 167 total points
ID: 37828622
Just to add the setting is in different areas depending on the version you are on

http://technet.microsoft.com/en-us/library/dd347641.aspx

The PowerShellExecutionPolicy.adm and PowerShellExecutionPolicy.admx
    files add the "Turn on Script Execution" policy to the Computer
    Configuration and User Configuration nodes in Group Policy Editor in
    the following paths.

        For Windows XP and Windows Server 2003:
        Administrative Templates\Windows Components\Windows PowerShell

        For Windows Vista and later versions of Windows:
        Administrative Templates\Classic Administrative Templates\
        Windows Components\Windows PowerShell

Are you a sys admin in your domain?  Wasn't sure if you have rights to updates GPOs or make new GPOs.  Always test if you can.

Thanks

Mike
0
 
LVL 2

Accepted Solution

by:
un0ri earned 167 total points
ID: 37830435
I would suggest not setting it to unrestricted, as a minimum set it to remote-signed, and depending on how often you are modifying scripts set it so you can change your policy on the fly (so you can leave it in allsigned unless you are working on something).

If you have a GPO that sets allsigned you cannot override this on the local system as it will always be overwritten by the domain GPO.  You will need either an alternative GPO that is applied last which sets a different policy, or deny your computer access to the main GPO, replicate it with the changed powershell execution policy, apply this one to your system. (Make sure that everyone but your system has explicit deny on it to prevent mishaps).

You need to be aware of the order that the GPO will be applied in (see http://technet.microsoft.com/en-us/library/cc778890%28WS.10%29.aspx)
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 

Author Comment

by:resolver1
ID: 37831797
Thanks for your replys.  Its been a long time since i've used Group Policys.  We're pretty flat AD structure.  I created a administrators OU in both computers and users.  Attached a group policy that enables "Unrestricted" powershell scripts (for user and computer config).  Add my computer and user to the new administrators group and it still doesn't allow me to run a script unless its signed.  As you can see below the machine policy is still set to "AllSigned" after gpupdate is run on my machine.  

See below:  


PS C:\> Get-ExecutionPolicy -List

                                                      Scope                                             ExecutionPolicy
                                                      -----                                             ---------------
                                              MachinePolicy                                                   AllSigned
                                                 UserPolicy                                                   Undefined
                                                    Process                                                   Undefined
                                                CurrentUser                                                   Undefined
                                               LocalMachine                                                Unrestricted

PS C:\> gpupdate
Updating Policy...

User Policy update has completed successfully.
Computer Policy update has completed successfully.

PS C:\> Get-ExecutionPolicy -List

                                                      Scope                                             ExecutionPolicy
                                                      -----                                             ---------------
                                              MachinePolicy                                                   AllSigned
                                                 UserPolicy                                                Unrestricted
                                                    Process                                                   Undefined
                                                CurrentUser                                                   Undefined
                                               LocalMachine                                                Unrestricted


group policy inheritance
0
 
LVL 2

Expert Comment

by:un0ri
ID: 37832107
What is your exact setting in the 'unrestricted' policy?  If you have already set a policy just disabling it will not change it.  You need to first set a new policy that sets the execution policy to 'allow all scripts'.

Then set a new policy that has this disabled, which should then allow you to manage it locally on the box.

If you prefer to manage it through GPOs I would suggest setting it to 'Allow local scripts and remote signed scripts' and just leave it on that.
0
 

Author Comment

by:resolver1
ID: 37832746
Its now working. I ran GPUpdate and I have the desired setting "Unrestricted" (only on my computer) :-)

Maybe it took a while for the settings to receive and update.  I thought GP was instance aslong as you ran gpudpate on the client.???

Any thanks for all your help guys
0
 

Author Closing Comment

by:resolver1
ID: 37832756
Thanks again!
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question