none
Active Directory Best Practices Analyzer and Windows PowerShell execution policy

    Question

  • OS: Windows Server 2008 R2
    Management feature: Server Manager/Best Practices Analyzer/Windows PowerShell

    I`ve experienced issues with the Active Directory Best Practices Analyzer when a Windows PowerShell execution policy are defined.

    To reproduce the issue on a "clean" system:

    1) Run Get-ExecutionPolicy -List from Windows PowerShell and ensure that all execution policies are Undefined.

    2) Run the Active Directory Best Practices Analyzer. It should run without any problems.

    3) Define a Windows PowerShell execution policy, using eiter Group Policy (on either Machine or User Configuration) or the Set-Executionpolicy cmdlet

    4) Run the Active Directory Best Practices Analyzer. The following error message should appear:

    [Window Title]
    Server Manager

    [Main Instruction]
    The Best Practices Analyzer scan has failed.

    [Content]
    There has been a Best Practice Analyzer engine error for Model Id: 'Microsoft/Windows/DirectoryServices' during execution of the Model. (Inner Exception: One or more model documents are invalid: {0}Discovery exception occurred processing file '{0}'.
    Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope.  Due to the override, your shell will retain its current effective execution policy of "RemoteSigned". Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information, please see "Get-Help Set-ExecutionPolicy.")

    [OK]

    This happens with any of the available execution policies except Undefined and Unrestricted.
    I`ve tested the Active Directory Best Practices Analyzer only, however, this could affect other Best Practices Analyzers in Windows Server 2008 R2.

    Can anyone explain this behaviour? This can`t be "by design", as we really should be allowed to define custom execution policies without breaking OS functionality.


    Jan Egil Ring

    Blog: http://blog.powershell.no
    Twitter: http://twitter.com/janegilring
    Tuesday, July 06, 2010 10:27 PM

Answers

  • Hi,

    This is a known issue with BPA. Sorry to say we don’t have a fix currently. If you need this fixed, please contact CSS, provide your business justification so that product team may provide a fix.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 09, 2010 10:15 AM
    Moderator

All replies

  • Hi,

    This is a known issue with BPA. Sorry to say we don’t have a fix currently. If you need this fixed, please contact CSS, provide your business justification so that product team may provide a fix.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 09, 2010 10:15 AM
    Moderator
  • Has the status of this "known" issue changed? What is the best practice for assigning ExecutionPolicy settings to Domain Controllers?
    Respectfully, Tom
    Wednesday, June 29, 2011 12:54 AM
  • There is a fast publish KB on this: http://support.microsoft.com/kb/2028818 .  I don't think that helps you Tom, but it might help others looking for help when getting the error Jan listed above above.

     

    "

    [Window Title]
    Server Manager

    [Main Instruction]
    The Best Practices Analyzer scan has failed.

    [Content]
    There has been a Best Practice Analyzer engine error for Model Id: 'Microsoft/Windows/DirectoryServices' during execution of the Model. (Inner Exception: One or more model documents are invalid: {0}Discovery exception occurred processing file '{0}'.
    Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of "RemoteSigned". Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information, please see "Get-Help Set-ExecutionPolicy.")


    Travis
    Wednesday, November 09, 2011 2:41 AM