Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Powershell: set-execution policy override Allsigned

Posted on 2012-04-10
7
1,790 Views
Last Modified: 2012-06-21
All our computers have a group policy that enables allsigned.

Set-ExecutionPolicy -ExecutionPolicy AllSigned

Open in new window


I want to override this feature for my machine.  Whats the best way to achieve this?

 

Thanks
0
Comment
Question by:resolver1
7 Comments
 
LVL 7

Assisted Solution

by:BelushiLomax
BelushiLomax earned 166 total points
ID: 37828585
create a policy to apply only to you that sets:
Set-ExecutionPolicy Unrestricted
It all depends on your AD structure how the cleanest way to do that is, but you will need to undo the policy for yourself using this GPO closer to your Account than the other so it applies later.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 167 total points
ID: 37828622
Just to add the setting is in different areas depending on the version you are on

http://technet.microsoft.com/en-us/library/dd347641.aspx

The PowerShellExecutionPolicy.adm and PowerShellExecutionPolicy.admx
    files add the "Turn on Script Execution" policy to the Computer
    Configuration and User Configuration nodes in Group Policy Editor in
    the following paths.

        For Windows XP and Windows Server 2003:
        Administrative Templates\Windows Components\Windows PowerShell

        For Windows Vista and later versions of Windows:
        Administrative Templates\Classic Administrative Templates\
        Windows Components\Windows PowerShell

Are you a sys admin in your domain?  Wasn't sure if you have rights to updates GPOs or make new GPOs.  Always test if you can.

Thanks

Mike
0
 
LVL 2

Accepted Solution

by:
un0ri earned 167 total points
ID: 37830435
I would suggest not setting it to unrestricted, as a minimum set it to remote-signed, and depending on how often you are modifying scripts set it so you can change your policy on the fly (so you can leave it in allsigned unless you are working on something).

If you have a GPO that sets allsigned you cannot override this on the local system as it will always be overwritten by the domain GPO.  You will need either an alternative GPO that is applied last which sets a different policy, or deny your computer access to the main GPO, replicate it with the changed powershell execution policy, apply this one to your system. (Make sure that everyone but your system has explicit deny on it to prevent mishaps).

You need to be aware of the order that the GPO will be applied in (see http://technet.microsoft.com/en-us/library/cc778890%28WS.10%29.aspx)
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:resolver1
ID: 37831797
Thanks for your replys.  Its been a long time since i've used Group Policys.  We're pretty flat AD structure.  I created a administrators OU in both computers and users.  Attached a group policy that enables "Unrestricted" powershell scripts (for user and computer config).  Add my computer and user to the new administrators group and it still doesn't allow me to run a script unless its signed.  As you can see below the machine policy is still set to "AllSigned" after gpupdate is run on my machine.  

See below:  


PS C:\> Get-ExecutionPolicy -List

                                                      Scope                                             ExecutionPolicy
                                                      -----                                             ---------------
                                              MachinePolicy                                                   AllSigned
                                                 UserPolicy                                                   Undefined
                                                    Process                                                   Undefined
                                                CurrentUser                                                   Undefined
                                               LocalMachine                                                Unrestricted

PS C:\> gpupdate
Updating Policy...

User Policy update has completed successfully.
Computer Policy update has completed successfully.

PS C:\> Get-ExecutionPolicy -List

                                                      Scope                                             ExecutionPolicy
                                                      -----                                             ---------------
                                              MachinePolicy                                                   AllSigned
                                                 UserPolicy                                                Unrestricted
                                                    Process                                                   Undefined
                                                CurrentUser                                                   Undefined
                                               LocalMachine                                                Unrestricted


group policy inheritance
0
 
LVL 2

Expert Comment

by:un0ri
ID: 37832107
What is your exact setting in the 'unrestricted' policy?  If you have already set a policy just disabling it will not change it.  You need to first set a new policy that sets the execution policy to 'allow all scripts'.

Then set a new policy that has this disabled, which should then allow you to manage it locally on the box.

If you prefer to manage it through GPOs I would suggest setting it to 'Allow local scripts and remote signed scripts' and just leave it on that.
0
 

Author Comment

by:resolver1
ID: 37832746
Its now working. I ran GPUpdate and I have the desired setting "Unrestricted" (only on my computer) :-)

Maybe it took a while for the settings to receive and update.  I thought GP was instance aslong as you ran gpudpate on the client.???

Any thanks for all your help guys
0
 

Author Closing Comment

by:resolver1
ID: 37832756
Thanks again!
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question