Monthly Archives: May 2010

Run a powershell script from a UNC path via Task Scheduler in Windows 2008


As an admin I store all my PS scripts on a central server and schedule tasks on each individual server so its no big deal if I change a script around.

So scheduling these tasks on 08 was way more of a pain than I thought it would be. There are a couple of steps involved in order to get this to work correctly.

Powershell Config

With 2k8 there are two things off the bat that stop you from running a script from UNC

The more common is the execution policy, which by default is Restricted. In this case ideally what you want is remote signed. Its not the best idea, but since signing can be a bit of a pain you might go with unrestricted at your own risk. in PS just type in set-executionpolicy remotesigned

you can actually do this with a GPO

http://www.microsoft.com/downloads/details.aspx?familyid=2917a564-dbbc-4da7-82c8-fe08b3ef4e6d&displaylang=en

IE Config (shut off IE ESC)

so once you get the execution policy setup correctly you need to disable IE Enhanced Security Configuration (IE ESC) to allow UNCs to be considered Intranet. You can set a registry key, UNCAsIntranet, to accomplish this, but its a account based key. you can find info on that key here

http://technet.microsoft.com/en-us/library/bb457150.aspx

HKEY_CURRENT_USER\Software\Policies\Microsoft \Windows\CurrentVersion\Internet Settings\ZoneMap

DWORD: UNCAsIntranet 1

Personally I prefer to shut off IE ESC because you shouldn’t be using a server to surf the web. To do this you open up Server Manager (that nifty little link on the task bar) and highlight the Server Manager node at the top of the list. On the right hand side if you scroll down a bit one of the right hand boxes will have a link for Configure IE ESC and turn it off for both (your script account may not be an admin, depending on how you configure things)

The Account

The next thing is the account you use to run the script, I’m going to assume its not your own account and you’ve setup an account just for running scripts. In order for this account to run the script correctly you need to login with it. The reason for this is that after you’ve disabled IE ESC or created that reg key (via a gpo I’m guessing) the users needs to login in order to have the UNCAsIntranet key created under their account.

The Task

This is the easy part really, open up Task Scheduler and you can just create a basic task. You’ll need to point it to powershell (C:\Windows\System32\WindowsPowerShell\v1.0 yup, it still says V1) and as the arguments you’ll use –command “\\server\share\script.ps1”

at the end of the basic task creation wizard check off the box that says open property page and go to the General tab and check off Run with highest privileges (to get past UAC).

 

That’s it!

Advertisements