Q: How can I centrally control the PowerShell execution policy settings on the Windows machines in my domain to ensure that they aren't overridden by changes made by an administrator locally on a domain member machine?
A: To centrally control the PowerShell execution policies for the machines and users in your domain, you can use the Turn on Script Execution Group Policy Object (GPO) setting. You can configure this setting in both the computer node and the user configuration node of GPOs. If you configure them in both nodes, the computer-level setting will take precedence over the user-level setting. When these settings are enabled, they override other PowerShell execution policies locally set on a machine (i.e., the policies linked to the Process, CurrentUser, and LocalMachine scopes). If you're unfamiliar with PowerShell's execution policies and scopes, see "Use Execution Policies to Control What PowerShell Scripts Can Be Run."
The Turn on Script Execution GPO setting has the following configuration options, as illustrated in Figure 1:
- Disabled. When you select the Disabled option, scripts won't run. Selecting this option has the same effect as setting the Restricted execution policy.
- Enabled. If you select the Enabled option, you can set one of three execution policies: Allow all scripts (i.e., Unrestricted policy), Allow local scripts and remote signed scripts (i.e., RemoteSigned policy), and Allow only signed scripts (i.e., AllSigned policy).
- Not Configured. When you select the Not Configured option, the GPO settings will have no effect. Thus, the local PowerShell execution policy set by the administrator remains in effect.
The Turn on Script Execution GPO setting isn't included in the standard Windows GPOs. You can add it by installing the PowerShellExecutionPolicy administrative template. You can download this template from the Administrative Templates for Windows PowerShell web page. You'll be downloading an *.msi package, which you must install on the system where you configure your GPOs.
After the package is successfully installed, you need to load the administrative template. To do so, open the GPO editor, navigate to the Administrative Templates container, right-click it, and choose Add/Remove Templates. In the Add/Remove Templates dialog box, you can add either the PowerShellExecutionPolicy.adm file (the classic administrative template) or the PowerShellExecutionPolicy.admx file (the XML-formatted administrative template). Both files are located in the %systemdrive%/program files/Microsoft Group Policy file system folder.
The Turn on Script Execution GPO setting shows up in the Computer Configuration and User Configuration GPO nodes in the following paths:
- For Windows XP and Windows Server 2003: Administrative Templates\Windows Components\Windows PowerShell
- For Windows Vista and later: Administrative Templates\Classic Administrative Templates\Windows Components\Windows PowerShell