I am working on a mid-size Windows 2012 R2 domain right now, and slapped together a PowerShell login script.
But I can't figure out how to allow regular users to run it!
By default, PowerShell script execution is disabled in a Windows domain.
I am trying to enable script execution using group policies.
I found several sets on instructions, but none have yet yielded the result desired. Here is an example of the instructions I have found:
https://blogs.technet.microsoft.com/poshchap/2015/01/02/execution-policy-and-group-policy/
So far no amount of gpupdate /force or rebooting seems to work.
Does anyone have first hand experience at enabling script execution using group policies?
Related
The current ExcutionPolicy is AllSigned; however, I am attempting to automate the deployment of SSRS packages via the ReportingServicesTools module that Microsoft published (see link below). My deployment implementation is a scrip that calls a series of commands that are made available within the ReportingServicesTools module. Unfortunately, when I try executing the script, I get the following error:
C:\...\ReportingServicesTools.psm1 is not digitally signed. You cannot
run this script on the current system.
I am able to run the script when I change the ExecutionPolicy to RemoteSigned. However, this may run afoul with our company's policies.
Before I address this internally, is there anyway that I can get the script to run under an AllSigned ExecutionPolicy? I have checked online and everything seems to point to changing the ExecutionPolicy to RemoteSigned. So, I assume the answer to my question is no, but I first want to check here that way I have left no stone un-turned.
ReportingServicesTools:
https://www.powershellgallery.com/packages/ReportingServicesTools/0.0.4.8
I'm looking for the best solution for automating Windows server 2012r2 via Rundeck. I'm extremely familiar with Rundeck but use it for linux vms. I've searched online for this topic but havent found anything that seems reliable. Ideally, I want to start a Runeck Job that can add users in Active Directory but not sure how to approach it. I've tried using winrm but have gotten mixed results. Ironically, it will run basic powershell commands but it errors when trying to do anything with AD. Ive even tried creating a powershell script on the AD server and have Rundeck simply execute the powershell script to no avail. Hopefully someone has had success in controlling windows nodes with Rundeck. Below is the error i receive when trying to run a powershell script.
Execution failed: 27 in project windows: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [Windows_AD_Server: NonZeroResultCode: [WinRMPython] Result code: 1 + {dataContext=MultiDataContextImpl(map={ContextView(node:Windows_AD_Server)=BaseDataContext{{exec={exitCode=1}}}, ContextView(step:1, node:Windows_AD_Server)=BaseDataContext{{exec={exitCode=1}}}}, base=null)} ]}, Node failures: {Windows_AD_Server=[NonZeroResultCode: [WinRMPython] Result code: 1 + {dataContext=MultiDataContextImpl(map={ContextView(node:Windows_AD_Server)=BaseDataContext{{exec={exitCode=1}}}, ContextView(step:1, node:Windows_AD_Server)=BaseDataContext{{exec={exitCode=1}}}}, base=null)} ]}, status: failed]
Firstly, PowerShell already offers a built-in way to execute jobs, with no 3rd party addons.
About Jobs
Provides information about how PowerShell background jobs run a command or expression in the background without interacting with the current session.
About Remote Jobs
Describes how to run background jobs on remote computers.
PowerShell Jobs Week: Remote Jobs
I've never heard of / used Rundeck as Paul points out as well, so this just be the Rundeck has particulars that need to be in play first. Yet, looking at the docs, and a quick youtube video on the topic, there are several things that must be in place for what you say here...
I've tried using winrm but have gotten mixed results.
… to work.
Video - Running commands remotely using the console with WinRM/WinRS
If Rundeck is similar to SCCM or Scheduled Task, then the same approach applies.
Write Your PowerShell script. have Rundeck/ScheduedTask call powershell.exe to run the script
How to execute a PowerShell script automatically using Windows task scheduler?
Also, this could very well be seen as a duplicate of this stackoverflow discussion and answer.
rundeck unable to execute powershell script with import-module
I am setting up somethin similar and have the same problem. The AD operation executes successfully, but returns exit code 1 and throw the error you mentioned. I am in the process of debugging the plugin, but it seems there is a bug within response handling.
Please check if the ad operation works although the error is thrown and please post the script block you are using to control the AD.
Edit: in meantime I was able to narrow down the issue and opened an issue with the project: github
I provisionally fixed the issue with adding the following line in winrm-session.py after line 89:
new_msg = msg
The line before is:
" error message: %s" % (e))
The line after is:
else:
If this does not solve your issue, please post your script block.
Best Tobias
I have set-executionpolicy unrestricted. I was able to run scripts previously. After I got an error running a powershell script, I started getting the following error:
File C:..\test.ps1 cannot be loaded because its operation is blocked by
software restriction policies, such as those created by using Group Policy.
It doesn't matter what is in the script file I am trying to run.
From what I can tell nothing else has changed. I was doing something with a remote powershell session to a remote machine, got an error. Then was unable to run scripts locally unless I run powershell.exe as administrator.
Software Restriction Policies (SRP) have nothing to do with Powershell directly.
Someone has set a restriction on what can be run and/or from where it can be run.
This isn't related to Powershell Execution Policy, Powershell Remoting, nor administrative rights/privileges.
Typically SRP is set through Group Policy and pushed out (I'm guessing you're on a domain).
You could use rsop.msc on your machine to try to determine what the settings are and maybe which policy is applying them.
If you want more information on SRP you should probably post on ServerFault.
Hello Folks,
I have a powershell MTA (GUI script using winForms), which works well, lets take the script name to be "ENDUserMTA.ps1" which does invoke certain commands and does something which really needs admin rights. this works fine when run manually or via task scheduler or when set via [registry] RunOnce or Run or whatever when there is admin rights..
The problem is i want to invoke this script on the END users laptop and make them to work with it [interactively]
Options that i have tried so far:
Tried Scheduling the "ENDUserMTA.ps1" in Task Manager SYSTEM account [using When running the task, use the following user account] - this starts and run NOT INTERACTIVE [since system account does not have interactive session]
Tried Scheduling the "ENDUserMTA.ps1" in Task Manager with Different user account which has admin rights [using When running the task, use the following user account] - This again starts but the GUI is not shown to the End User who has logged without admin rights, rather shown to only the user who was set under the option [When running the task, use the following user account]
My situation is not possible to create PSSessions or Delegated Remoting. I am now is middle of forest and no where to go!!!
Not sure how to invoke the script as admin to a user who has logged into a machine without admin rights..
WHat i exactly need or similar solution: When scheduling this script, i schedule the script to start atlogon[any user], after the script completes it will delete the scheduled task
Pls help..
Balaji
Begining on Vista Microsoft has started to separate UI stacks for security reasons.
My advise for your problem is to change the architecture of your code in order to create two scripts.
The first one with no UI will be scheduled with administrative rights
The second one with UI will be started with the user rights and will be a client of the first one.
You can use Inter-Process Communication between the two scripts, but you will met a security issue, you server part vill need particular ACLs to allow the client part to connect.
It exists other way to communicate between scripts, but it's not so easy with an asynchronous UI architecture on one side. It would be simple using managed code (.NET code) or native code(unmanaged code). For me, you are on the limit of the scripting place even if scripting capacities are very large as far as PowerShell is built on the top of .NET.
I have the following batch script on a Windows 2008 R2 server:
#echo off
djoin.exe /provision /domain my.domain.com /machine test /savefile savefile.txt
echo %ERRORLEVEL%
If I run the script on the server itself, either through command prompt or PowerShell, it works perfectly fine and returns "0".
The problem is that I need to execute it from a remote computer, so I do the following (an example just for testing):
Invoke-Command -ComputerName remotehost -ScriptBlock {.\script.cmd}
The output is "-1073740940", which is probably error code C0000374, which could have something to do with heap corruption.
This seems to be a problem with the djoin command itself. I can comment out djoin and run other binaries, like ping, with no issues using the same Invoke-Command.
Keeping in mind that the script works perfectly fine when executed from PowerShell on the target computer, what issues could the act of remoting be introducing?
In both cases, the script is executed with the same privileges using my account, which is a member of Domain Admins. I doubt that it's a permissions issue and have no idea where else to look.
[edit]
Gave up on the whole thing. This is either a bug in djoin or some obscure problem in the interaction between djoin and PS remoting.
I managed to run djoin directly on the client, using 'runas /netonly ...' to provide domain credentials. It's a very messy solution (and I have yet to figure out how to get the exit status of a process started by runas), but gets the job done.
This is almost certainly a classic "double-hop" authentication issue. Remember that when you use PowerShell Remoting you're using up one of those hops. Anything you execute on that remote machine that accesses a third remote machine is unlikely to work if it requires authentication.
To get around that, you can use an authentication method which allows you to Delegate Credentials such as CredSSP. It's a bit more involved than simply changing your authentication type as you have to make changes on the client side and the server side of the transaction. Refer to this blog post on MSDN, PowerShell Remoting and the “Double-Hop” Problem and this "Hey, Scripting Guy!" post, Enable PowerShell "Second-Hop" Functionality with CredSSP.