Messaging and Colloboration

Sunday, 23 April 2017

Execution Policies

Execution policies are windows security mechanism to control the execution of PowerShell scripts.
There are 4 types of Execution policies that we can set along with five different scopes.
Execution policies:
  1. Restricted - This is the most secure policy because we can’t run any PowerShell scripts in this mode.
  2.  All signed- This policy will allow you to run scripts but that script should be digitally signed by trusted publisher. You will get a prompt while running scripts to confirm the trust of publisher.
  3. Remote signed- It allow you to run scripts locally , but downloaded scripts must be digitally signed, it won’t  prompt to confirm the trust of publisher. This is the default execution policy in Windows Server 2012
  4. Unrestricted- No security, we can run any type of scripts.

  1. Machine policy
  2. User policy
  3. Process
  4. Current user
  5. Local machine

Scope values are listed in precedence order (from higher to lower). For example if you have Remote Singed policy with current user and All Signed policy with local machine scope, then Remote singed will be the effective.

How to change Execution policy?
Set – ExecutionPolicy –executionpolicy remotesigned
Above cmdlet will change the execution policy from default to ‘RemoteSigned’

To check the Execution policy
Simple type Get-ExecutionPolicy

How to get Execution policy of Remote computers
Sometimes you want to collect details about execution policies for all servers in your environment. You may think to use Get-ExecutionPolicy along with identity or computername parameter, but the trickiest part is Get-ExecutionPolicy cmdlet won’t support any such parameter, to check this ,type get-Executionpolicy |gm it will give below output in that no method/parameter is related to identity.

For this situation we can use  Invoke-Command- is a powershell remote management cmdlet that supports one to many remotings. This cmdlet allows you to execute PowerShell commands on multiple remote computers that don’t support -ComputerName parameter.

$servers = import-csv "C:\Users\dinesh\Desktop\servers.csv"
Foreach ($server in $servers)
     Invoke-Command -computername $ -Scriptblock {Get-Executionpolicy}

In the above script I am using csv file as the input which has all server names with “name” as the column name.


No comments:

Post a Comment