Virtual Geek

Tales from real IT system administrators world and non-production environment

Set Powershell execution policy with Group Policy

November 17, 2017 02:45PM

In this article I will be covering configuring Windows PowerShell execution policy using Group Policy, to configure environments properly ahead of time for better management, doing this takes less time to get your work done in timely fashion. For example, I gave few ps1 PowerShell script to some of my nontechnical end users to collect information for specific period when issue occur. But next day they came to me with issue and not able to run script, as script execution policy was restricted disabled. Even though provided SOP, it was not performed.

I solved the issue for few users using below article, but when it comes to configure setting more users, or entire organization, it is not good to do it manually. This can be done using another automation way Group Policy.

Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled
Powershell Trick : Execute or run any file as a script file

Open Group policy management tool either on Active Directory or from client where RSAT tool is installed. Collapse and search for Group Policy Objects. Right click on it, click New, On the New GPO pop up box provide new GPO a name.

Powershell Execution policy group Policy object management gpp domain and forest, default domain controller policy.png

Once new group policy is created successfully, right click on it and Edit it, Collapse and select Computer Configuration\ Administrative Templates: Policy definition\ Windows Components\ Windows Powershell\ Turn on Script Execution. This policy allows you to set powershell execution policy. By default it not configured.

Group Policy management, Group Policy object WIndows Powershell edit GPO, Administrative templates, turn on script execution

Double click Turn on script Execution and select script policy of your choice. click enable, for demo purpose I am choosing Allow all script, which is equivalent to unrestricted. For more on different policies you can check on Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled

This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. 

  • The "Allow all scripts" policy setting allows all scripts to run.
  • The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher.
  • The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Internet must be signed by a trusted publisher.
  • If you disable this policy setting, no scripts are allowed to run.

Note: This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed."

group policy turn on script execution allow all scripts, only signed scripts, local scripts and remote signed scripts powershell, object

Next once the policy is enabled it shows the state enabled. and next step is to linking GPO to domain or OU, here for demo purpose I am attaching it to vcloud-lab domain. Right click the domain and link an existing GPO. Select the policy from list and click ok. 

Group Policy Management editor, Gpo, group policy objects, link an existing gpo, select gpo, look in the domain, turn on windows powershell turn on script execution enabled state, run script

Once GPO is linked it shows under domain as shortcut and confirm the Settings that policy is configured correctly.

Group policy management powershell executon policy administrative templates, windows component, policy exectuion powershell

Next step on the end user client machine open PowerShell as administrator, Although this step is not required and every default 90 minutes computer policy is downloaded, synced and refreshed with GPO. To expedite process and show demo, Here I am running Get-ExecutionPolicy to see the current execution policy type. It is restricted and doesn't allow to execute ps1 file. Next update GPO using gpupdate /force, this will pull settings from GP.  Once update is successful, reopen PowerShell, and check policy again running Get-ExecutionPolicy, It is changed to Unrestricted now, for more details check running command gpresult /r, in the applied group policy objects, policy is visible and applied.

Administrator windows Powershell, Get-executionpolicy, gpupdate force, gpresult r html, applied group policy objects, group policy client

Useful Articles
Installing, importing and using any module in powershell
Microsoft Active directory additional features - AD Recycle Bin Powershell

Go Back