Override GPO for PowerShell Execution Policy

Lets talk about the execution policy and how it almost hurt us.

Guess what?
Yes sir, the Execution Policy for PowerShell never knew this would ever come.
Here is a way how Microsoft tells us to change the execution policy, run the below commands.

Get-ExecutionPolicy & Set-ExecutionPolicy

The above commands change the policy just for the PowerShell session they are made on but not for all the following PowerShell sessions.
However the group policy always takes precedence over the Local Policy.

We were doing a SQL server migration for 2005 to 2012 which included migrating the Database AppFabric Caching cluster servers are using.

As many of you know AppFabric heavily relies on PowerShell to make its configuration changes.
I will come up with another blog on how to do that manually but lets focus on how we were bit by this policy setting.

Figures that Executable (AppFabric Config Wizard) was trying to use an ExecutionPolicy other than what was set in the Group Policy Object.
The GPO was set to Unrestricted and the Executable was trying to use AllSigned.

This resulted in the following exception every time we were trying to register the AppFabric hosts to the new Database instance.

clip_image002

The same when result when we try to change the execution policy for the PowerShell sessions as well.

PS > Set-ExecutionPolicy "AllSigned" -Scope Process -Confirm:$false

 

Execution Policy Change

The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose

you to the security risks described in the about_Execution_Policies help topic. Do you want to change the execution

policy?

[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y

Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a

policy defined at a more specific scope.  Due to the override, your shell will retain its current effective execution

policy of "Unrestricted". Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information

, please see "Get-Help Set-ExecutionPolicy."

At line:1 char:20

+ Set-ExecutionPolicy <<<<  "AllSigned" -Scope Process -Confirm:$false

    + CategoryInfo          : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException

    + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand

Enough said and let me come to the solution.
There are two ways to fix this.

1. Temporary Fix to get you through the evening.
Delete the registry key named ExecutionPolicy that is being pushed by the Group Policy object located at
Hive : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell

2. Permanent Fix to make sure this never happens again.

Work with your Domain Admins or who ever controls the Group Policies at the Active Directory level and have them set the execution policy to undefined.

The Group Policy configuration in Windows Server 2008 (and Windows Server 2003) allows a GPO to be set to configure the PowerShell operation level centrally. Within Group Policy, navigate to
Computer Configuration > Administrative Templates > Windows Components > Windows > PowerShell and configure the Script Execution setting

Advertisements
Posted in Uncategorized
13 comments on “Override GPO for PowerShell Execution Policy
  1. Edward I says:

    This was really helpful (#1 temporary fix), but instead of deleting the reg key I changed the value from “Unrestricted” to “Bypass”. It’ll keep the app guys at bay for now till the GP gets updated. Thanks!

    • akommireddi says:

      True, bypass will be the correct option. Was too desperate to get my production appfabric cluster re-installation going after a corrupted database. Will update the same.

  2. Juuvi says:

    Thanks for this, brother

  3. gpo modipla says:

    Very good information. Lucky me I ran across your site by chance (stumbleupon).
    I have book marked it for later!

  4. ssbboo says:

    Thank you! Solution 1 worked for me (Win 7, VS 2013)

  5. Thanks!! Solution 1 worked for me too! (Win 7, VS 2013 Update 5)

  6. […] Source: Override GPO for PowerShell Execution Policy | Avinash’s Blog […]

  7. […] It’s likely caused by a Group Policy Object (GPO) which is setting a domain-policy on PowerShell restrictions.  Even if you modify and update group policy, this error condition may persist.  Based on an article here: https://powershellpanda.wordpress.com/2013/12/01/override-gpo-for-powershell-execution-policy/ […]

  8. Ameen says:

    Good Job,

  9. kced20 says:

    Thank you so much for your help. The temporary fix definitely worked for me

  10. You’ve just saved me a lot of head-banging time 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: