locked
Invoke-Command Execution Policy RRS feed

  • Question

  • c:\temp\test.ps1 {unsigned}

    write-host "Hello-World!"

    ............................................................................................................

    invoke-command -cn $machinename -filepath c:\temp\test.ps1

     The renmote machine (eg $machinename) has execution policy set to AllSigned. I was surprised to see that this script executes without error. Why is this allowed? I understand that PS converts -filepath to a scriptblock, but it doesn't seem to honor the target machine's execution policy. Isn't this a security issue?

    If I add an import-module {modulename} to my script above, I get the error about the script not being digitally signed.

    In this scenario, why does the remote machine honor its locally execution policy for import-module, but not the passed scriptblock in general?

    Friday, October 5, 2012 8:27 PM

Answers

  • FilePath<String>

    Runs the specified local script on one or more remote computers. Enter the path and file name of the script, or pipe a script path to Invoke-Command. The script must reside on the local computer or in a directory that the local computer can access. Use the ArgumentList parameter to specify the values of parameters in the script.

    When you use this parameter, Windows PowerShell converts the contents of the specified script file to a script block, transmits the script block to the remote computer, and runs it on the remote computer.

    • Proposed as answer by Bigteddy Wednesday, October 10, 2012 6:10 PM
    • Marked as answer by Yan Li_ Monday, October 15, 2012 2:53 AM
    Monday, October 8, 2012 2:20 PM
  • Hi,

        Several cmdlets have a ComputerName parameter that lets you
        get objects from remote computers.

        Because these cmdlets do not use WS-Management-based Windows PowerShell
        remoting, you can use the ComputerName parameter of these cmdlets on any
        computer that is running Windows PowerShell. The computers do not have to
        be configured for Windows PowerShell remoting, and the computers do not
        have to meet the system requirements for remoting.

        The following cmdlets have a ComputerName parameter:

            Clear-EventLog    Limit-EventLog
            Get-Counter       New-EventLog
            Get-EventLog      Remove-EventLog
            Get-HotFix        Restart-Computer
            Get-Process       Show-EventLog
            Get-Service       Stop-Computer
            Get-WinEvent      Test-Connection
            Get-WmiObject     Write-EventLog

    For more details, please refer to the below links:

    Use PowerShell Invoke-Command for Remoting

    http://blogs.technet.com/b/heyscriptingguy/archive/2011/06/13/use-powershell-invoke-command-for-remoting.aspx

    about_Remote

    http://technet.microsoft.com/en-us/library/hh847900.aspx

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Yan Li

    TechNet Community Support

    • Proposed as answer by Bigteddy Wednesday, October 10, 2012 6:10 PM
    • Marked as answer by Yan Li_ Monday, October 15, 2012 2:53 AM
    Tuesday, October 9, 2012 6:17 AM

All replies

  • Instead of write-host "Hello-World!", what does "Get-ExecutionPolicy" return?

    Admiral Ackbar says...

    Friday, October 5, 2012 8:34 PM
  • AllSigned
    Friday, October 5, 2012 8:45 PM
  • Any takers?
    Monday, October 8, 2012 2:10 PM
  • FilePath<String>

    Runs the specified local script on one or more remote computers. Enter the path and file name of the script, or pipe a script path to Invoke-Command. The script must reside on the local computer or in a directory that the local computer can access. Use the ArgumentList parameter to specify the values of parameters in the script.

    When you use this parameter, Windows PowerShell converts the contents of the specified script file to a script block, transmits the script block to the remote computer, and runs it on the remote computer.

    • Proposed as answer by Bigteddy Wednesday, October 10, 2012 6:10 PM
    • Marked as answer by Yan Li_ Monday, October 15, 2012 2:53 AM
    Monday, October 8, 2012 2:20 PM
  • Hi,

        Several cmdlets have a ComputerName parameter that lets you
        get objects from remote computers.

        Because these cmdlets do not use WS-Management-based Windows PowerShell
        remoting, you can use the ComputerName parameter of these cmdlets on any
        computer that is running Windows PowerShell. The computers do not have to
        be configured for Windows PowerShell remoting, and the computers do not
        have to meet the system requirements for remoting.

        The following cmdlets have a ComputerName parameter:

            Clear-EventLog    Limit-EventLog
            Get-Counter       New-EventLog
            Get-EventLog      Remove-EventLog
            Get-HotFix        Restart-Computer
            Get-Process       Show-EventLog
            Get-Service       Stop-Computer
            Get-WinEvent      Test-Connection
            Get-WmiObject     Write-EventLog

    For more details, please refer to the below links:

    Use PowerShell Invoke-Command for Remoting

    http://blogs.technet.com/b/heyscriptingguy/archive/2011/06/13/use-powershell-invoke-command-for-remoting.aspx

    about_Remote

    http://technet.microsoft.com/en-us/library/hh847900.aspx

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Yan Li

    TechNet Community Support

    • Proposed as answer by Bigteddy Wednesday, October 10, 2012 6:10 PM
    • Marked as answer by Yan Li_ Monday, October 15, 2012 2:53 AM
    Tuesday, October 9, 2012 6:17 AM
  • This seems like security issues since the execution policy is ignored.
    Wednesday, October 10, 2012 5:54 PM
  • If you read the previous posts, you will see that the execution policy is only enforced when a script is run locally on the machine.  Commands sent by Invoke-Command with a file path are converted into a scriptblock, so the remote computer doesn't see this as a remote script.

    Is that clearer?


    Grant Ward, a.k.a. Bigteddy

    Wednesday, October 10, 2012 6:13 PM
  • If you read the previous posts, you will see that the execution policy is only enforced when a script is run locally on the machine.  Commands sent by Invoke-Command with a file path are converted into a scriptblock, so the remote computer doesn't see this as a remote script.

    Is that clearer?


    Grant Ward, a.k.a. Bigteddy

    If you load a script and try and run it in the ISE on a machine where the execution policy is allsigned, Powershell will not run it, complaining about the execution policy.

    However, if you copy the script contents and paste it into the ISE, Powershell will run it with no issues.

    It's the difference between having a script in a file, loading it and running it, and just executing a scriptblock - discussed in the previous posts.

    Powershell can be made to ignore the computers execution policy when started by using...

    powershell.exe -ExecutionPolicy Bypass

    I don't think execution policy was meant to be be the be all, end all security feature.


    Admiral Ackbar says...

    Wednesday, October 10, 2012 6:32 PM