New Group Policy Mandate causes Run Script Powershell to fail

book

Article ID: 211060

calendar_today

Updated On:

Products

CA Process Automation Base

Issue/Introduction

PAM 4.3.03 - Windows - SQL Server

A new Group Policy was placed on all of our servers and workstations so that a login script would execute correctly.

The gpo change was to change the below from Open to 0 in order for powershell scripts to open in powershell.

HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell
Change the value of the (Default) attribute to 0.
The possible values are following:
• 0 - execute,
• Edit - Open in PowerShell ISE,
• Open - open in Notepad.

When this change was made all PAM Processes that ran a PowerShell script failed to run because Arguments were no longer getting to the process.  I have attached one of the tmp folders created  by pam.  If I run the c2ogws.cmd file from a command line it the parameters are there but not passed to the script when the GPO is set.  If I change back it works fine. 

The team that put this GPO in place does not want to remove it.  Is there a workaround that could be implemented to get this to work. 

I noticed that if you add "PowerShell" after the CALL command the script runs as expected when the GPO is set.  Not sure if that helps.

Cause

Found an article here that explains about these registry entries: https://www.howtogeek.com/204166/how-to-configure-windows-to-work-with-powershell-scripts-more-easily/

Notice the 0\Command, Edit\Command, and Open\Command subkeys.  Those tell exactly what gets executed if that option is chosen for the Shell key.  Looking at the value for the 0\Command subkey, I’m seeing this:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & '%1'"

This would explain why none of the parameters are being passed to the Powershell script.

Environment

Release : 4.3

Component : PROC AUTO SIM AND BMC REM POWER PACK

Resolution

I looked at the string for the Command on the Open tab and noticed it has ‘%1’ %* at the end of the string so I backed up my registry and added %* to the end of the command string for the "0" option and it works now.

Attachments