Override GPO for PowerShell Execution Policy

Lets talk about the execution policy and how it almost hurt us.

Guess what?
Yes sir, the Execution Policy for PowerShell never knew this would ever come.
Here is a way how Microsoft tells us to change the execution policy, run the below commands.

Get-ExecutionPolicy & Set-ExecutionPolicy

The above commands change the policy just for the PowerShell session they are made on but not for all the following PowerShell sessions.
However the group policy always takes precedence over the Local Policy.

We were doing a SQL server migration for 2005 to 2012 which included migrating the Database AppFabric Caching cluster servers are using.

As many of you know AppFabric heavily relies on PowerShell to make its configuration changes.
I will come up with another blog on how to do that manually but lets focus on how we were bit by this policy setting.

Figures that Executable (AppFabric Config Wizard) was trying to use an ExecutionPolicy other than what was set in the Group Policy Object.
The GPO was set to Unrestricted and the Executable was trying to use AllSigned.

This resulted in the following exception every time we were trying to register the AppFabric hosts to the new Database instance.

clip_image002

The same when result when we try to change the execution policy for the PowerShell sessions as well.

PS > Set-ExecutionPolicy "AllSigned" -Scope Process -Confirm:$false

 

Execution Policy Change

The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose

you to the security risks described in the about_Execution_Policies help topic. Do you want to change the execution

policy?

[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y

Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a

policy defined at a more specific scope.  Due to the override, your shell will retain its current effective execution

policy of "Unrestricted". Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information

, please see "Get-Help Set-ExecutionPolicy."

At line:1 char:20

+ Set-ExecutionPolicy <<<<  "AllSigned" -Scope Process -Confirm:$false

    + CategoryInfo          : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException

    + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand

Enough said and let me come to the solution.
There are two ways to fix this.

1. Temporary Fix to get you through the evening.
Delete the registry key named ExecutionPolicy that is being pushed by the Group Policy object located at
Hive : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell

2. Permanent Fix to make sure this never happens again.

Work with your Domain Admins or who ever controls the Group Policies at the Active Directory level and have them set the execution policy to undefined.

The Group Policy configuration in Windows Server 2008 (and Windows Server 2003) allows a GPO to be set to configure the PowerShell operation level centrally. Within Group Policy, navigate to
Computer Configuration > Administrative Templates > Windows Components > Windows > PowerShell and configure the Script Execution setting

Posted in Uncategorized

Happy Birthday to the blogging me!!

Hello World!!

I came up with this crazy idea of blogging.
Yes Sir!! This is my first ever blog.
Here in this space I want to share my learnings with young and new PowerShell enthusiasts and at the same time learn from them.
I am expecting this blog to motivate me even further to master PowerShell in my own strengths.

Like the scripting guy said..Happy Scripting!

And Hey thanks for visiting my blog and stay tuned for more posts and I promise I’ll be regular.

Posted in Uncategorized