In an environment with lots of servers, automation is an important topic. In order to automate, you have to run scripts that do certain tasks. For Windows the preffered scripting language to use is of course Powershell. A challenge you will come across if trying to run scripts on Windows 7 or Windows Server 2008 R2 is the Powershell Execution Policy which is set to Restricted for these 2 operating systems.
In a previous post I wrote a small intro to the execution policy and how to set it manually: Set Powershell Execution Policy. This is fine for a small number of servers but if you have a lot then a more enterprise level solution is required. One of the solutions is to use Group Policy. With it you can ensure that all the selected computers are configured and the configuration cannot be changed by someone locally on one of them because it is controlled centrally by Group Policy.
The Powershell Execution Policy setting is present in the user part and in the computer part of the GPO. So this means that you have the possibility to set this option for specific users regardless of the machine on which they log on or to set it on specific machines regardless of the user that logs on and runs the script.
Steps to set the Powershell Execution Policy with Group Policy
This is an easy task which can be performed in 4 steps. In this example I am configuring a machine level setting.
- In case you want this setting separate from others then create a new GPO. In my case I named it PS Exec Policy.
- Now from the Computer Configuration part go to Policies, Administrative Templates, Windows Components, Windows Powershell
- Enable the Turn on script execution setting and select one of the options. I recommend Allow local scripts and remote signed scripts. This is the RemoteSigned execution policy.
- Link the GPO where you want it to apply. In my example I linked it to the Domain Controllers container which means that it will apply to any computer object in this container.
And that’s it. Now you can wait for the policy to apply or update the Group Policy manually. You should then see the new setting.
If you decide to set the policy at the user level please remember that it will apply to a specific user after a new logon.