For more information please see
At line:1 char:1
+ set-executionpolicy RemoteSigned -scope process -Force
Additionally, syspolicy_purge_history job fails in the third step if the domain controller is not set to RemoteSigned by GPO, and you may receive the following error message:
Scope - ExecutionPolicyMachinePolicy takes precedence over all other policies.
MachinePolicy - Unrestricted
UserPolicy - Undefined
Process - RemoteSigned
CurrentUser - Undefined
LocalMachine - RemoteSigned
Group Policy is pushed from the domain controller to the member servers that are associated for that Group Policy. This sets the MachinePolicy to Unrestricted mode and SQL Server PowerShell tries to run with RemoteSigned execution policy. Therefore, a conflicting situation occurs and the syspolicy_purge_history job fails. The same job runs successfully in SQL Server 2008 R2 regardless of machine policy in domain controller.
Unrestricted is definitely not recommended from a security perspective because it means No restrictions. That is the reason when you start from SQL 2012, PowerShell scripts runs successfully when MachinePolicy is set as RemoteSigned in Domain Controller.
To work around this issue, use one of the following methods:
- Do not set the Machine policy of domain controller by GPO. If it is undefined, that means the next level policy (for example, UserPolicy, then Process, then CurrentUser, and at last LocalMachine) will take precedence.
- Create a new Organizational Unit (OU) in Active Directory Users and Computers and link this OU with your Group Policy. Then enable it for RemoteSigned policy. To do this, follow these steps:
- Go to Active Directory Users and Computers.
- Right-click your Domain -> New ->Organizational Unit to create a new Organizational Unit.
- Type gpmc.msc in Run, and then right-click Group Policy Object ->New to create a new GPO.
- Right-click the newly created GPO -> Edit. It will open a new window.
- Go to Computer Configuration -> Policies -> Administrative Templates -> Windows components -> Windows PowerShell -> double click Turn on Script Execution
- Set the Execution Policy to Allow local scripts and remote signed scripts
- Click Apply, and then click OK.
- Go to Active Directory Users and Computers, and then click Computers. You find a list of computers for the domain. Right-click the computer(s) which you want move in the newly created organizational unit. In this manner, you can move a single or a group of computers to an organizational unit.
- Go to Group Policy Management, right-click newly created Organizational Unit, click Link an Existing GPO, select the newly created GPO, and then click OK.
- Update the policy on Domain controller and on the client computer by running this command in PowerShell.
- Verify the machine policy for Organizational Unit and client component, it should be RemoteSigned.
Article ID: 2995870 - Last Review: Sep 9, 2014 - Revision: 1