Solved

Powershell: set-execution policy override Allsigned

Posted on 2012-04-10
7
1,838 Views
Last Modified: 2012-06-21
All our computers have a group policy that enables allsigned.

Set-ExecutionPolicy -ExecutionPolicy AllSigned

Open in new window


I want to override this feature for my machine.  Whats the best way to achieve this?

 

Thanks
0
Comment
Question by:resolver1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 7

Assisted Solution

by:BelushiLomax
BelushiLomax earned 166 total points
ID: 37828585
create a policy to apply only to you that sets:
Set-ExecutionPolicy Unrestricted
It all depends on your AD structure how the cleanest way to do that is, but you will need to undo the policy for yourself using this GPO closer to your Account than the other so it applies later.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 167 total points
ID: 37828622
Just to add the setting is in different areas depending on the version you are on

http://technet.microsoft.com/en-us/library/dd347641.aspx

The PowerShellExecutionPolicy.adm and PowerShellExecutionPolicy.admx
    files add the "Turn on Script Execution" policy to the Computer
    Configuration and User Configuration nodes in Group Policy Editor in
    the following paths.

        For Windows XP and Windows Server 2003:
        Administrative Templates\Windows Components\Windows PowerShell

        For Windows Vista and later versions of Windows:
        Administrative Templates\Classic Administrative Templates\
        Windows Components\Windows PowerShell

Are you a sys admin in your domain?  Wasn't sure if you have rights to updates GPOs or make new GPOs.  Always test if you can.

Thanks

Mike
0
 
LVL 2

Accepted Solution

by:
un0ri earned 167 total points
ID: 37830435
I would suggest not setting it to unrestricted, as a minimum set it to remote-signed, and depending on how often you are modifying scripts set it so you can change your policy on the fly (so you can leave it in allsigned unless you are working on something).

If you have a GPO that sets allsigned you cannot override this on the local system as it will always be overwritten by the domain GPO.  You will need either an alternative GPO that is applied last which sets a different policy, or deny your computer access to the main GPO, replicate it with the changed powershell execution policy, apply this one to your system. (Make sure that everyone but your system has explicit deny on it to prevent mishaps).

You need to be aware of the order that the GPO will be applied in (see http://technet.microsoft.com/en-us/library/cc778890%28WS.10%29.aspx)
0
Monthly Recap

May was a big month for new releases from Linux Academy! Take a look at what our team built recently in our blog. You can access the newest releases from our blog.

 

Author Comment

by:resolver1
ID: 37831797
Thanks for your replys.  Its been a long time since i've used Group Policys.  We're pretty flat AD structure.  I created a administrators OU in both computers and users.  Attached a group policy that enables "Unrestricted" powershell scripts (for user and computer config).  Add my computer and user to the new administrators group and it still doesn't allow me to run a script unless its signed.  As you can see below the machine policy is still set to "AllSigned" after gpupdate is run on my machine.  

See below:  


PS C:\> Get-ExecutionPolicy -List

                                                      Scope                                             ExecutionPolicy
                                                      -----                                             ---------------
                                              MachinePolicy                                                   AllSigned
                                                 UserPolicy                                                   Undefined
                                                    Process                                                   Undefined
                                                CurrentUser                                                   Undefined
                                               LocalMachine                                                Unrestricted

PS C:\> gpupdate
Updating Policy...

User Policy update has completed successfully.
Computer Policy update has completed successfully.

PS C:\> Get-ExecutionPolicy -List

                                                      Scope                                             ExecutionPolicy
                                                      -----                                             ---------------
                                              MachinePolicy                                                   AllSigned
                                                 UserPolicy                                                Unrestricted
                                                    Process                                                   Undefined
                                                CurrentUser                                                   Undefined
                                               LocalMachine                                                Unrestricted


group policy inheritance
0
 
LVL 2

Expert Comment

by:un0ri
ID: 37832107
What is your exact setting in the 'unrestricted' policy?  If you have already set a policy just disabling it will not change it.  You need to first set a new policy that sets the execution policy to 'allow all scripts'.

Then set a new policy that has this disabled, which should then allow you to manage it locally on the box.

If you prefer to manage it through GPOs I would suggest setting it to 'Allow local scripts and remote signed scripts' and just leave it on that.
0
 

Author Comment

by:resolver1
ID: 37832746
Its now working. I ran GPUpdate and I have the desired setting "Unrestricted" (only on my computer) :-)

Maybe it took a while for the settings to receive and update.  I thought GP was instance aslong as you ran gpudpate on the client.???

Any thanks for all your help guys
0
 

Author Closing Comment

by:resolver1
ID: 37832756
Thanks again!
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question