0

I have an application in a Citrix/2008R2 that is acting as a user starting point for other apps.

I have recently had to modify this application to integrate it more deeply with active directory. As part of this process the application sometimes has to run the user login script directly (instead of counting on the login process to do so).

That script is written in powershell and, among other things, maps the users drives based on what OU the account object is in. I had to modify the script to take into account users who had to chose their work environment when they log in and therefore cannot use the standard login script.

Anyway: my issue is that, when the script is started from a DFS UNC path from my application, it fails to run, asking the user to confirm its execution. I checked the execution policies in both 32 and 64 bits powershell and they are like this:

 Scope ExecutionPolicy ----- --------------- MachinePolicy Unrestricted UserPolicy Unrestricted Process Undefined CurrentUser Undefined LocalMachine Unrestricted

I have made sure that the group policy applied to both the user and the computer should allow all script to run: GPO details

For now, I have resorted to making a copy of the script to the temp folder and running it from there (it works fine) but it is nagging me: I can't see any logical reason why powershell would refuse the execution of that script.

Anyone has an idea what is happening here ?

edit

To clarify, I am experiencing the common powershell security warning here:

Security Warning Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your computer. Do you want to run \\xxxx\xxxx\xxxx\test_powershell.ps1? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
Improve this question
2
  • 3
    Since you are executing the script from a UNC you may be bumping up against IE security policy. Did you try adding \\server.domain to your IE trusted sites list? Commented Aug 4, 2015 at 8:51
  • I believe that this would trigger a dialog box instead of the powershell security warning I'm seeing. Anyway: the network location where the script are stored is part of the "Local intranet" zone, applied through GPO. Commented Aug 4, 2015 at 14:57

1 Answer 1

Reset to default
2

This powershell blog entry goes into detail about how powershell determines if a script is remote for the RemoteSigned executionpolicy. I've found that even when the policy is set to Unrestricted, you will still get the prompt to execute if powershell thinks the script is remote. So as tchester said, this may be related to your IE security zones. I think I resolved a similar issue with caspol.exe.

Here are some instructions I found on how to use capol.exe to fully trust a share. I haven't messed with this in a while, so please test with caspol and powershell, but I'm pretty confident this will resolve the prompting issue you're seeing.

Improve this answer
1
  • Thank you for the initial link: since all my servers have IE in ESC mode, it does explain why Powershell ignores the execution policy (although it doesn't explain the argument for implementing such... interesting mechanism). Unfortunately, CasPol is somewhat deprecated and isn't used by Powershell by default. I tried it nevertheless but it didn't solve the prompt issue. Commented Aug 4, 2015 at 15:15

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.