Home / server / Questions / 528238
Accepted
Stephane
Asked: 2013-08-03 05:21:35 +0800 CST

What can cause Powershell execution policy not to be taken into account?

  • 772

We have in our infrastructure a number of powershell scripts used for various tasks ranging from user login to support technician simulating a user context.

These scripts are centralized on our file server (through DFS) for easier management. Some of them are run at logon, some are run through published Citrix applications.

We have applied a policy for the whole domain and all users that sets the Powershell execution policy to "unrestricted" so that the scripts can run from the file server.

This works perfectly fine for logon script (at least, so far) but for scripts that are run later (usually through a published application but the same applies when using terminal services and a full desktop), the results are inconsistent: some users can run the script fine, some are always prompted in the powershell console for letting the scripts run.

I cannot find anything that could cause this behavior and it's really inconsistent: if I start powershell manually and runs get-executionpolicy, I am told that the current policy is unrestricted. Yet, if from the same session I try to run a script through a program that calls powershell <script file name> <parameters> I get prompted before the script can run.

What could cause such behavior ?

powershell

1 Answers

  1. Best Answer

    I'm guessing that the prompt you're seeing looks like this:

    Security Warning Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your computer. Do you want to run \server\scripts\my.ps1? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): d

    If you run "get-help about_execution_policies", you'll see the behavior for 'Unrestricted' defined as:

     Unrestricted
 - Unsigned scripts can run. (This risks running malicious
   scripts.)

 - Warns the user before running scripts and configuration
   files that are downloaded from the Internet.

    Even when set to Unrestricted, PowerShell will prompt you to run scripts that it thinks were downloaded from the internet -- this can include scripts being called from UNC paths. You can adjust the behavior by tweaking the Internet Explorer security zones on the computer (yes, really), and/or by configuring .NET code access security policies on the system using caspol.exe.

    Here are some helpful links if this is in fact the prompt you're seeing:

    http://blogs.msdn.com/b/powershell/archive/2007/05/06/running-scripts-downloaded-from-the-internet.aspx

    http://www.leeholmes.com/blog/2008/07/24/powershell-execution-policies-in-standard-images/

    http://powertoe.wordpress.com/2010/08/10/corporate-powershell-module-repository-part-1-design-and-infrastructure/

    • 4