locked
status filter rule and powershell script RRS feed

  • Question

  • hello,

    i have a problem with the "status filter rule" function. i want to run a powershell script when a specific status message is generated. when i run the script by hand it work without problems. but when sccm executes the script it does not work because of execution policy of powershell.
    the weird is that the execution policy is set to unrestricted and the script is located on the sccm server.
    is it because of the system context the script ran in?
    thanks

    hoppo-star

    Wednesday, December 2, 2009 9:27 PM

Answers

  • I've got it!
    The powershell script runs as a scheduled task without problems but not when executed by the status filter rule method.
    Then i have created an wrapper cmd which set the execution policy to unrestricted and the executes the powershell script. that works for me.
    the execution policy has to be set once and the command can then be removed:
    powershell set-executionpolicy -executionpolicy unrestricted
    
    C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe D:\SCCM\ServerScripte\ReplicateUpCollMembership\replicate.ps1 -strLocalSiteServer %1 -strParentSiteServer sccm01 -strCollectionID %3>>"%~dp0error.log"
    Thursday, December 3, 2009 9:25 PM

All replies

  • when you "run it by hand" you are running it with your credentials, right?  What happens if you run the powershell script under SYSTEM Context, from the Cmd Prompt as System? 

    http://verbalprocessor.com/2007/12/05/running-a-cmd-prompt-as-local-system/

    Standardize. Simplify. Automate.
    Wednesday, December 2, 2009 10:01 PM
  • Yep, I concur with where Sherry is going although maybe not for the same reason. Execution policy is a system wide setting (stored in HKLM as a matter of fact), but I bet that it is hard-coded for the local SYSTEM account and cannot be changed -- I don't know this for fact but think it likely for security reasons.
    Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
    Thursday, December 3, 2009 1:55 AM
  • Are you running the script locally or from a network share when executing in the status filter rule?
    Are you running the script locally or from a network share when executing manually?
    "Everyone is an expert at something" Kim Oppalfens Configmgr expert for lack of any other expertise. http://www.scug.be/blogs/sccm
    Thursday, December 3, 2009 7:54 AM
  • and the script is located on the sccm server.

    Does that answer your question, Kim? ;-))
    Thursday, December 3, 2009 8:42 AM
  • It sure answers one of them, ok you got me there wiseguy ;-)

    My guess though is that the powershell script is executed locally when run manually, which will not prompt you to ask whether you want to execute it, because it runs from a trusted location. When running remote though it will prompt, even in unrestricted mode.

    Ways to have powershell scripts run completely unattended.
    1) Sign scripts, use one of the require signature execution policies, make sure the cert using to sign the script is in the Trusted PUBLISHERS (sorry for yelling, but I have seen this go wrong too many times) certificate store, and that the entire certificate chain ends in a trusted root.
    2) Make sure the location the script runs from is a "trusted" location, in other words, add it to the trusted sites in internet explorer.
    "Everyone is an expert at something" Kim Oppalfens Configmgr expert for lack of any other expertise. http://www.scug.be/blogs/sccm
    Thursday, December 3, 2009 8:47 AM
  • I've got it!
    The powershell script runs as a scheduled task without problems but not when executed by the status filter rule method.
    Then i have created an wrapper cmd which set the execution policy to unrestricted and the executes the powershell script. that works for me.
    the execution policy has to be set once and the command can then be removed:
    powershell set-executionpolicy -executionpolicy unrestricted
    
    C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe D:\SCCM\ServerScripte\ReplicateUpCollMembership\replicate.ps1 -strLocalSiteServer %1 -strParentSiteServer sccm01 -strCollectionID %3>>"%~dp0error.log"
    Thursday, December 3, 2009 9:25 PM