Cannot run powershell scripts unless I run as administrator - powershell

I have set-executionpolicy unrestricted. I was able to run scripts previously. After I got an error running a powershell script, I started getting the following error:
File C:..\test.ps1 cannot be loaded because its operation is blocked by
software restriction policies, such as those created by using Group Policy.
It doesn't matter what is in the script file I am trying to run.
From what I can tell nothing else has changed. I was doing something with a remote powershell session to a remote machine, got an error. Then was unable to run scripts locally unless I run powershell.exe as administrator.

Software Restriction Policies (SRP) have nothing to do with Powershell directly.
Someone has set a restriction on what can be run and/or from where it can be run.
This isn't related to Powershell Execution Policy, Powershell Remoting, nor administrative rights/privileges.
Typically SRP is set through Group Policy and pushed out (I'm guessing you're on a domain).
You could use rsop.msc on your machine to try to determine what the settings are and maybe which policy is applying them.
If you want more information on SRP you should probably post on ServerFault.

Related

Any way to bypass the security warning when trying to run scripts off a network drive WITHOUT having admin privileges?

Is there any way to bypass the security warning when trying to run scripts off a network drive WITHOUT having admin privileges? I wrote a powershell script that needs to reside on a network drive and I cannot automatically run the script because I get this stupid error:
Run only scripts that you trust. While scripts from the internet can be useful, this script
can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run
without this warning
message. Do you want to run xxx\examplefile.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
I have no way of getting admin privileges, any ideas?
Talk to your admin. It can be set up to permit this. There is a downside to allowing this, so your admin may say no.

ReportingServicesTools module is not digitally signed

The current ExcutionPolicy is AllSigned; however, I am attempting to automate the deployment of SSRS packages via the ReportingServicesTools module that Microsoft published (see link below). My deployment implementation is a scrip that calls a series of commands that are made available within the ReportingServicesTools module. Unfortunately, when I try executing the script, I get the following error:
C:\...\ReportingServicesTools.psm1 is not digitally signed. You cannot
run this script on the current system.
I am able to run the script when I change the ExecutionPolicy to RemoteSigned. However, this may run afoul with our company's policies.
Before I address this internally, is there anyway that I can get the script to run under an AllSigned ExecutionPolicy? I have checked online and everything seems to point to changing the ExecutionPolicy to RemoteSigned. So, I assume the answer to my question is no, but I first want to check here that way I have left no stone un-turned.
ReportingServicesTools:
https://www.powershellgallery.com/packages/ReportingServicesTools/0.0.4.8

enable Powershell script execution on domain

I am working on a mid-size Windows 2012 R2 domain right now, and slapped together a PowerShell login script.
But I can't figure out how to allow regular users to run it!
By default, PowerShell script execution is disabled in a Windows domain.
I am trying to enable script execution using group policies.
I found several sets on instructions, but none have yet yielded the result desired. Here is an example of the instructions I have found:
https://blogs.technet.microsoft.com/poshchap/2015/01/02/execution-policy-and-group-policy/
So far no amount of gpupdate /force or rebooting seems to work.
Does anyone have first hand experience at enabling script execution using group policies?

Can RemoteSigned run scripts created on same domain?

I'm creating and testing some powershell scripts to do some basic file copying. I've set my executionpolicy to RemoteSigned. According to the help, this should allow me to run scripts that were not downloaded from the internet. However, my observations seem to indicate that this will run only scripts created on the local machine.
For instance, if I create a script on my development machine and try to copy to my server (on my same domain), the script will not run. However, if I open up the Powershell ISE on the server and open my script, copy the code and paste it into a new file window and save it to the server, the script then runs. Further, if I want to create a self-signed certificate, it will not run on other computers (per the help).
So, this all seems a bit cumbersome that I have to develop my scripts on the machine they are to be run or go through the copy/paste routine mentioned above to get them to run on my server. I just want to know that I've understood all of this correctly and there is no other way to create a script within the same domain and run it under the remotesigned execution policy without paying the fee for a certificate.
this post here provide the method for executing script from shared folder. hope this could help you :-)

Batch script runs fine, but fails when executed through PowerShell Remoting

I have the following batch script on a Windows 2008 R2 server:
#echo off
djoin.exe /provision /domain my.domain.com /machine test /savefile savefile.txt
echo %ERRORLEVEL%
If I run the script on the server itself, either through command prompt or PowerShell, it works perfectly fine and returns "0".
The problem is that I need to execute it from a remote computer, so I do the following (an example just for testing):
Invoke-Command -ComputerName remotehost -ScriptBlock {.\script.cmd}
The output is "-1073740940", which is probably error code C0000374, which could have something to do with heap corruption.
This seems to be a problem with the djoin command itself. I can comment out djoin and run other binaries, like ping, with no issues using the same Invoke-Command.
Keeping in mind that the script works perfectly fine when executed from PowerShell on the target computer, what issues could the act of remoting be introducing?
In both cases, the script is executed with the same privileges using my account, which is a member of Domain Admins. I doubt that it's a permissions issue and have no idea where else to look.
[edit]
Gave up on the whole thing. This is either a bug in djoin or some obscure problem in the interaction between djoin and PS remoting.
I managed to run djoin directly on the client, using 'runas /netonly ...' to provide domain credentials. It's a very messy solution (and I have yet to figure out how to get the exit status of a process started by runas), but gets the job done.
This is almost certainly a classic "double-hop" authentication issue. Remember that when you use PowerShell Remoting you're using up one of those hops. Anything you execute on that remote machine that accesses a third remote machine is unlikely to work if it requires authentication.
To get around that, you can use an authentication method which allows you to Delegate Credentials such as CredSSP. It's a bit more involved than simply changing your authentication type as you have to make changes on the client side and the server side of the transaction. Refer to this blog post on MSDN, PowerShell Remoting and the “Double-Hop” Problem and this "Hey, Scripting Guy!" post, Enable PowerShell "Second-Hop" Functionality with CredSSP.