locked
Trying to sign a PowerShell script to run on all domain servers RRS feed

  • Question

  • I need to run a Powershell script on all my domain servers. I followed the instructions on this web site (https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html) and created a certificate on my workstation which I was able to import to one of the servers. However, when I tried to run the script manually from the server, I got this error:

    PS Microsoft.PowerShell.Core\FileSystem::\\MyDomain.com\NETLOGON\Distribute\DHCPLogging> .\test.ps1
    File \\MyDomain.com\NETLOGON\Distribute\DHCPLogging\test.ps1 cannot be loaded because the execution of scripts is
     disabled on this system. Please see "get-help about_signing" for more details.
    At line:1 char:11
    + .\test.ps1 <<<<
        + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
        + FullyQualifiedErrorId : RuntimeException

    So I changed the Script Execution Policy to RemoteSigned and the script ran fine:

    PS Microsoft.PowerShell.Core\FileSystem::\\MyDomain.com\NETLOGON\Distribute\DHCPLogging> Set-ExecutionPolicy -executionpolicy Remotesigned
    
    Execution Policy Change
    The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
    you to the security risks described in the about_Execution_Policies help topic. Do you want to change the execution
    policy?
    [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y
    
    
    
    PS Microsoft.PowerShell.Core\FileSystem::\\MyDomain.com\NETLOGON\Distribute\DHCPLogging> .\test.ps1
    What is your name?: JDMils
    Hello JDMils
    PS Microsoft.PowerShell.Core\FileSystem::\\MyDomain.com\NETLOGON\Distribute\DHCPLogging>
    
    

    I know that the next step is to create a GPO which installs the new cert on all servers so I can do this OK.

    So how do I now get my signed script to run on all my servers without having to manually reset the ExecutionPolicy of each one?



    • Edited by JDMils1968 Monday, November 27, 2017 2:02 AM
    Monday, November 27, 2017 1:27 AM

All replies

  • First you need to create a code signing certificate before you can find and assign on.

    https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6


    \_(ツ)_/

    Monday, November 27, 2017 1:56 AM
  • Hi JRV, I edited my original post just as you were replying to my port so to let you know, I've now been able to create the certificate, sign the test script and import the cert onto a test server.

    My problem is that my test server's ExecutionPolicy is set to Restricted by default and it will still not run the script. If I manually change the ExecutionPolicy on the server to RemoteSigned it will execute OK so how do I run the signed script successfully on all servers?

    Monday, November 27, 2017 2:25 AM
  • Then you cannot run scripts under any circumstances.  You need to ask you Domain Admin to give you scripting permission.


    \_(ツ)_/

    Monday, November 27, 2017 3:27 AM