Windows Server 2008 R2 Unleashed (146 page)

four primary execution policies, discussed in more detail in the following sections:

Restricted, AllSigned, RemoteSigned, and Unrestricted.

NOTE

Execution policies can be circumvented by a user who manually executes commands

found in a script file. Therefore, execution policies are not meant to replace a security

system that restricts a user’s actions and instead should be viewed as a restriction

that attempts to prevent malicious code from being executed.

Restricted

By default, PowerShell is configured to run under the Restricted execution

policy. This execution policy is the most secure because it allows PowerShell to operate

only in an interactive mode. This means no scripts can be run, and only configuration

files digitally signed by a trusted publisher are allowed to run or load.

AllSigned

The AllSigned execution policy is a notch under Restricted. When this policy is

enabled, only scripts or configuration files that are digitally signed by a publisher you

730

CHAPTER 21

Automating Tasks Using PowerShell Scripting

trust can be run or loaded. Here’s an example of what you might see if the AllSigned

policy has been enabled:

PS C:\Scripts> .\evilscript.ps1

The file C:\Scripts\evilscript.ps1 cannot be loaded. The file

C:\Scripts\evilscript.ps1 is not digitally signed. The script will not

execute on the system. Please see “get-help about_signing” for more

details.

At line:1 char:16

+ .\evilscript.ps1 <<<<

PS C:\Scripts>

Signing a script or configuration file requires a code-signing certificate. This certificate can

come from a trusted certificate authority (CA), or you can generate one with the

Certificate Creation Tool (Makecert.exe). Usually, however, you want a valid code-signing

certificate from a well-known trusted CA, such as VeriSign, Thawte, or your corporation’s

internal Public Key Infrastructure (PKI). Otherwise, sharing your scripts or configuration

files with others might be difficult because your computer isn’t a trusted CA by default.

RemoteSigned

The RemoteSigned execution policy is designed to prevent remote

ptg

PowerShell scripts and configuration files that aren’t digitally signed by a trusted publisher

from running or loading automatically. Scripts and configuration files that are locally

created can be loaded and run without being digitally signed, however.

A remote script or configuration file can be obtained from a communication application,

such as Microsoft Outlook, Internet Explorer, Outlook Express, or Windows Messenger.

Running or loading a file downloaded from any of these applications results in the follow-

ing error message:

PS C:\Scripts> .\interscript.ps1

The file C:\Scripts\interscript.ps1 cannot be loaded. The file

C:\Scripts\interscript.ps1 is not digitally signed. The script will not execute on

the system. Please see “get-help about_signing” for more details..

At line:1 char:17

+ .\interscript.ps1 <<<<

PS C:\Scripts>

To run or load an unsigned remote script or configuration file, you must specify whether

to trust the file. To do this, right-click the file in Windows Explorer and click Properties.

On the General tab, click the Unblock button (see Figure 21.2).

After you trust the file, the script or configuration file can be run or loaded. If it’s digitally

signed but the publisher isn’t trusted, however, PowerShell displays the following prompt:

PS C:\Scripts> .\signed.ps1

Do you want to run software from this untrusted publisher?

Understanding the PowerShell Basics

731

21

ptg

FIGURE 21.2

Trusting a remote script or configuration file.

File C:\Scripts\signed.ps1 is published by CN=companyabc.com, OU=IT,

O=companyabc.com, L=Oakland, S=California, C=US and is not trusted on your

system. Only run scripts from trusted publishers.

[V] Never run [D] Do not run [R] Run once [A] Always run [?] Help

(default is “D”):

In this case, you must choose whether to trust the file content.

Unrestricted

As the name suggests, the Unrestricted execution policy removes almost all

restrictions for running scripts or loading configuration files. All local or signed trusted

files can run or load, but for remote files, PowerShell prompts you to choose an option for

running or loading that file, as shown here:

PS C:\Scripts> .\remotescript.ps1

Security Warning

Run only scripts that you trust. While scripts from the Internet can be useful,

this script can potentially harm your computer. Do you want to run

C:\Scripts\remotescript.ps1?

[D] Do not run [R] Run once [S] Suspend [?] Help (default is “D”):

In addition to the primary execution policies, two new execution policies were introduced

in PowerShell 2.0, as discussed in the following sections.

732

CHAPTER 21

Automating Tasks Using PowerShell Scripting

Bypass

When this execution policy is used, nothing is blocked and there is no warning or

prompts. This execution policy is typically used when PowerShell is being used by another

application that has its own security model or a PowerShell script has been embedded into

another application.

Undefined

When this execution policy is defined, it means that there is no execution policy set in

the current scope. If Undefined is the execution policy for all scopes, the effective execu-

tion policy is Restricted.

Setting the Execution Policy

By default, when PowerShell is first installed, the execution policy is set to Restricted. To

change the execution policy, you use the Set-ExecutionPolicy cmdlet, shown here:

PS C:\> set-executionpolicy AllSigned

Or, you can also use a Group Policy setting to set the execution policy for number of

computers. In a PowerShell session, if you want to know the current execution policy for a

machine, use the Get-ExecutionPolicy cmdlet:

ptg

PS C:\> get-executionpolicy

AllSigned

PS C:\>

Execution policies can not only be defined for the local machine, but can also be defined

for the current user or a particular process. These boundaries between where an execution

policy resides is called an execution policy scope. To define the execution policy for a

scope, you would use the Scope parameter for the Set-ExecutionPolicy cmdlet.

Additionally, if you wanted to know the execution policy for a particular scope, you

would use the Scope parameter for the Get-ExecutionPolicy cmdlet. The valid arguments

for the Scope parameter for both cmdlets are Machine Policy, User Policy, Process,

CurrentUser, and LocalMachine.

NOTE

The order of precedence for the execution policy scopes is Machine Policy, User Policy,

Process, CurrentUser, and LocalMachine.

Using Windows PowerShell

PowerShell is a powerful tool that enables administrators to manage Windows platform

applications and to complete automation tasks. This section sheds some light on how

PowerShell’s many uses can be discovered and how it can be used to manage Windows

Server 2008 R2.

Using Windows PowerShell

733

Exploring PowerShell

21

Before using PowerShell, you might want to become more familiar with its cmdlets and

features. To assist administrators with exploring PowerShell, the PowerShell team decided

to do two things. First, they included a cmdlet that functions very similarly to how the

UNIX man pages function. Second, they also included a cmdlet that returns information

about commands available in the current session. Together, these cmdlets allow a novice

to tap into and understand PowerShell without secondary reference materials; explana-

tions of these cmdlets are discussed in the following sections.

Getting Help

The Get-Help cmdlet is used to retrieve help information about cmdlets, aliases, and from

help files. To display a list of all help topics this cmdlet supports, enter Get-Help * at the

PowerShell command prompt, as shown here:

PS C:\> get-help *

Name Category Synopsis

---- -------- --------

ac Alias Add-Content

asnp Alias Add-PSSnapin

ptg

clc Alias Clear-Content

cli Alias Clear-Item

clp Alias Clear-ItemProperty

clv Alias Clear-Variable

cpi Alias Copy-Item

cpp Alias Copy-ItemProperty

cvpa Alias Convert-Path

...

If that list seems too large to work with, it can be shortened by filtering on topic name

and category. For example, to get a list of all cmdlets starting with the verb Get, try the

command shown in the following example:

PS C:\> get-help -Name get-* -Category cmdlet

Name Category Synopsis

---- -------- --------

Get-Command Cmdlet Gets basic information...

Get-Help Cmdlet Displays information a...

Get-History Cmdlet Gets a list of the com...

Get-PSSnapin Cmdlet Gets the Windows Power...

Get-EventLog Cmdlet Gets information about...

Get-ChildItem Cmdlet Gets the items and chi...

Get-Content Cmdlet Gets the content of th...

...

PS C:\>

734

CHAPTER 21

Automating Tasks Using PowerShell Scripting

After selecting a help topic, that topic can be retrieved by using the topic name as the

parameter to the Get-Help cmdlet. For example, to retrieve help for the Get-Content

cmdlet, enter the following command:

PS C:\> get-help get-content

After executing this command, a shortened view of the help content for the Get-Content

cmdlet is displayed. To view the full help content, include the full switch parameter with

the command:

PS C:\> get-help get-content –full

After executing the command with the full switch parameter, you will find that the full

help content is divided into several sections. Table 21.3 describes each of these sections.

TABLE 21.3

PowerShell Help Sections

Help

Description

Section

Name

The name of the cmdlet

ptg

Synopsis

A brief description of what the cmdlet does

Description

A detailed description of the cmdlet’s behavior, usually including usage examples

Syntax

Specific usage details for entering commands with the cmdlet

Parameters

Valid parameters that can be used with this cmdlet

Inputs

The type of input this cmdlet accepts

Outputs

The type of data that the cmdlet returns

Notes

Additional detailed information on using the cmdlet, including specific scenarios

and possible limitations or idiosyncrasies

Examples

Common usage examples for the cmdlet

Related

References other cmdlets that perform similar tasks

Links

Get-Command

The Get-Command is used to gather basic information about cmdlets and other

commands that are available. For example, when executed, the Get-Command lists all the

cmdlets available to the PowerShell session:

Using Windows PowerShell

735

PS C:\> get-command

21

CommandType Name Definition

----------- ---- ----------

Cmdlet Add-Content Add-Content [-Path]

Cmdlet Add-History Add-History [[-InputObject] ...

Cmdlet Add-Member Add-Member [-MemberType]

Cmdlet Add-PSSnapin Add-PSSnapin [-Name]

Cmdlet Clear-Content Clear-Content [-Path]