If you often find yourself fumbling for the execution policy command to allow unsigned scripts on new servers, you may want to apply this setting centrally via a Group Policy Object (GPO). The Set-ExecutionPolicy command will allow you to pass the policy values for PowerShell's operation level. For scripts you write yourself, in most situations, administrators choose the Unrestricted option. Figure A shows this being queried and the command to configure PowerShell's operation level. Figure A
Click the image to enlarge.The Group Policy configuration in Windows Server 2008 (and Windows Server 2003) allows a GPO to be set to configure the PowerShell operation level centrally. Within Group Policy, navigate to Computer Configuration | Administrative Templates | Windows Components | Windows PowerShell and configure the Turn On Script Execution setting (Figure B). Figure B
Click the image to enlarge.There are a number of considerations for this type of configuration around script security. The best practice will depend on the security policy of the systems involved. Applying the setting that enables PowerShell scripts to a GPO that corresponds to relevant systems is a practice that would fit most situations. For the security context, the Disabled option will prevent PowerShell scripts from being run and enforced via a GPO. If the GPO is set, the computer accounts do not have the ability to change their local execution policy. Figure C shows this behavior, even run as a Domain Administrator. Figure C
Click the image to enlarge.
How do you manage PowerShell execution policies centrally? Share your strategies and safeguards in the discussion.
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.