New Group Policy Mandate causes Run Script Powershell to fail
Article ID: 211060
Updated On:
Products
Issue/Introduction
PAM 4.3.03 - Windows - SQL Server
A new Group Policy was placed on all of our servers and workstations so that a login script would execute correctly.
When this change was made all PAM Processes that ran a PowerShell script failed to run because Arguments were no longer getting to the process.
If I run the c2ogws.cmd file from a command line, the parameters are there but not passed to the script when the GPO is set. If I change back, it works fine.
The team that put this GPO in place does not want to remove it. Is there a workaround that could be implemented to get this to work.
I noticed that if you add "PowerShell" after the CALL command the script runs as expected when the GPO is set.
Environment
Release : 4.3
Component : PROC AUTO SIM AND BMC REM POWER PACK
Cause
Found an article here that explains about these registry entries: https://www.howtogeek.com/204166/how-to-configure-windows-to-work-with-powershell-scripts-more-easily/
Notice the 0\Command, Edit\Command, and Open\Command subkeys. Those tell exactly what gets executed if that option is chosen for the Shell key. Looking at the value for the 0\Command subkey, I’m seeing this:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & '%1'"
This would explain why none of the parameters are being passed to the PowerShell script.
Resolution
I looked at the string for the Command on the Open tab and noticed it has ‘%1’ %* at the end of the string so I backed the registry and added %* to the end of the command string for the "0" option and it works now.
Feedback
