Solved

Powershell: set-execution policy override Allsigned

Posted on 2012-04-10
7
1,734 Views
Last Modified: 2012-06-21
All our computers have a group policy that enables allsigned.

Set-ExecutionPolicy -ExecutionPolicy AllSigned

Open in new window


I want to override this feature for my machine.  Whats the best way to achieve this?

 

Thanks
0
Comment
Question by:resolver1
7 Comments
 
LVL 7

Assisted Solution

by:BelushiLomax
BelushiLomax earned 166 total points
Comment Utility
create a policy to apply only to you that sets:
Set-ExecutionPolicy Unrestricted
It all depends on your AD structure how the cleanest way to do that is, but you will need to undo the policy for yourself using this GPO closer to your Account than the other so it applies later.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 167 total points
Comment Utility
Just to add the setting is in different areas depending on the version you are on

http://technet.microsoft.com/en-us/library/dd347641.aspx

The PowerShellExecutionPolicy.adm and PowerShellExecutionPolicy.admx
    files add the "Turn on Script Execution" policy to the Computer
    Configuration and User Configuration nodes in Group Policy Editor in
    the following paths.

        For Windows XP and Windows Server 2003:
        Administrative Templates\Windows Components\Windows PowerShell

        For Windows Vista and later versions of Windows:
        Administrative Templates\Classic Administrative Templates\
        Windows Components\Windows PowerShell

Are you a sys admin in your domain?  Wasn't sure if you have rights to updates GPOs or make new GPOs.  Always test if you can.

Thanks

Mike
0
 
LVL 2

Accepted Solution

by:
un0ri earned 167 total points
Comment Utility
I would suggest not setting it to unrestricted, as a minimum set it to remote-signed, and depending on how often you are modifying scripts set it so you can change your policy on the fly (so you can leave it in allsigned unless you are working on something).

If you have a GPO that sets allsigned you cannot override this on the local system as it will always be overwritten by the domain GPO.  You will need either an alternative GPO that is applied last which sets a different policy, or deny your computer access to the main GPO, replicate it with the changed powershell execution policy, apply this one to your system. (Make sure that everyone but your system has explicit deny on it to prevent mishaps).

You need to be aware of the order that the GPO will be applied in (see http://technet.microsoft.com/en-us/library/cc778890%28WS.10%29.aspx)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:resolver1
Comment Utility
Thanks for your replys.  Its been a long time since i've used Group Policys.  We're pretty flat AD structure.  I created a administrators OU in both computers and users.  Attached a group policy that enables "Unrestricted" powershell scripts (for user and computer config).  Add my computer and user to the new administrators group and it still doesn't allow me to run a script unless its signed.  As you can see below the machine policy is still set to "AllSigned" after gpupdate is run on my machine.  

See below:  


PS C:\> Get-ExecutionPolicy -List

                                                      Scope                                             ExecutionPolicy
                                                      -----                                             ---------------
                                              MachinePolicy                                                   AllSigned
                                                 UserPolicy                                                   Undefined
                                                    Process                                                   Undefined
                                                CurrentUser                                                   Undefined
                                               LocalMachine                                                Unrestricted

PS C:\> gpupdate
Updating Policy...

User Policy update has completed successfully.
Computer Policy update has completed successfully.

PS C:\> Get-ExecutionPolicy -List

                                                      Scope                                             ExecutionPolicy
                                                      -----                                             ---------------
                                              MachinePolicy                                                   AllSigned
                                                 UserPolicy                                                Unrestricted
                                                    Process                                                   Undefined
                                                CurrentUser                                                   Undefined
                                               LocalMachine                                                Unrestricted


group policy inheritance
0
 
LVL 2

Expert Comment

by:un0ri
Comment Utility
What is your exact setting in the 'unrestricted' policy?  If you have already set a policy just disabling it will not change it.  You need to first set a new policy that sets the execution policy to 'allow all scripts'.

Then set a new policy that has this disabled, which should then allow you to manage it locally on the box.

If you prefer to manage it through GPOs I would suggest setting it to 'Allow local scripts and remote signed scripts' and just leave it on that.
0
 

Author Comment

by:resolver1
Comment Utility
Its now working. I ran GPUpdate and I have the desired setting "Unrestricted" (only on my computer) :-)

Maybe it took a while for the settings to receive and update.  I thought GP was instance aslong as you ran gpudpate on the client.???

Any thanks for all your help guys
0
 

Author Closing Comment

by:resolver1
Comment Utility
Thanks again!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
A procedure for exporting installed hotfix details of remote computers using powershell
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now