- Remove From My Forums
-
Question
-
Hello,
consider this scenario:
you are a standard user and the execution Policy is set to Unrestricted for the machine (localmachine or for all scopes).
you want to run a powershell script c:testsub1sub2script1.ps1
standard users group have ntfs read permission to c:test and c:testsub1sub2, but NOT c:testsub1
standard users can browse and read files inside c:testsub1sub2
The problem is that when running the command powershell.exe -file c:testsub1sub2script1.ps1
I get the following error:
AuthorizationManager check failed.
CategoryInfo: Not Specified: (:) [], ParentContainsErrorRecordException
FullyQualifiedErrorId: RuntimeException
Is it normal ?
The workaround I’ve found to make it work is to call the powershell with bypass argument:
powershell.exe -executionpolicy bypass -file c:testsub1sub2script1.ps1
or to add at least the ntfs permission «List folder / read data» to users for the folder c:testsub1
I do ask in the forum because I have this problem with SCCM clients, the folder is c:windowsccmcache is not accessible to interactive users, only subfolders which contains packages and scripts. And suddently powershell fails for package
running as current logged on users, and with execution Policy set to remotesigned.Is there a recent windows update which changed the behavior of powershell ?
Thank you.
-
Edited by
Tuesday, October 13, 2015 9:16 AM
-
Edited by
Answers
-
We got a response from MS:
Cause
Unfortunately the issue is caused by a design limitation. For AppLocker to work the mechanisms (AiGetFullImagePath function) are querying the full path of the folder structure up to where the allowed for the user application or script
is stored, thus breaking up with access denied inside an internal kernel function (GetFinalPathNameByHandleW) when the user does not have at least the desired read access at some point on the folder structure chain and because it is not directly denied by
the AppLocker policy no error is presented directly on the screen and only in the event logs is logged.
Resolution
To resolve the issue the administrator must give the users at least the desired read permissions to user, who have to run these applications or scripts, for all the folder on the chain from the root of the partition up to the folder
where the script or application resides.Unfortunately this is not possible in the SCCM portion of our scenario because the CCM Executive is resetting the permissions for the users on the ccmcache folder, under which the scripts, which are being run in the user context, are
stored and executed, thus presenting an issue for such scenarios.Our SCCM product group has been informed of this behavior. This information is being discussed and reviewed for future updates. Unfortunately, I will not be able to give you any timeline for a patch
resolving this scenario.-
Marked as answer by
Larry.B.IT
Tuesday, March 8, 2016 12:39 PM
-
Marked as answer by
- Remove From My Forums
-
Question
-
Hello,
consider this scenario:
you are a standard user and the execution Policy is set to Unrestricted for the machine (localmachine or for all scopes).
you want to run a powershell script c:testsub1sub2script1.ps1
standard users group have ntfs read permission to c:test and c:testsub1sub2, but NOT c:testsub1
standard users can browse and read files inside c:testsub1sub2
The problem is that when running the command powershell.exe -file c:testsub1sub2script1.ps1
I get the following error:
AuthorizationManager check failed.
CategoryInfo: Not Specified: (:) [], ParentContainsErrorRecordException
FullyQualifiedErrorId: RuntimeException
Is it normal ?
The workaround I’ve found to make it work is to call the powershell with bypass argument:
powershell.exe -executionpolicy bypass -file c:testsub1sub2script1.ps1
or to add at least the ntfs permission «List folder / read data» to users for the folder c:testsub1
I do ask in the forum because I have this problem with SCCM clients, the folder is c:windowsccmcache is not accessible to interactive users, only subfolders which contains packages and scripts. And suddently powershell fails for package
running as current logged on users, and with execution Policy set to remotesigned.Is there a recent windows update which changed the behavior of powershell ?
Thank you.
-
Edited by
Tuesday, October 13, 2015 9:16 AM
-
Edited by
Answers
-
We got a response from MS:
Cause
Unfortunately the issue is caused by a design limitation. For AppLocker to work the mechanisms (AiGetFullImagePath function) are querying the full path of the folder structure up to where the allowed for the user application or script
is stored, thus breaking up with access denied inside an internal kernel function (GetFinalPathNameByHandleW) when the user does not have at least the desired read access at some point on the folder structure chain and because it is not directly denied by
the AppLocker policy no error is presented directly on the screen and only in the event logs is logged.
Resolution
To resolve the issue the administrator must give the users at least the desired read permissions to user, who have to run these applications or scripts, for all the folder on the chain from the root of the partition up to the folder
where the script or application resides.Unfortunately this is not possible in the SCCM portion of our scenario because the CCM Executive is resetting the permissions for the users on the ccmcache folder, under which the scripts, which are being run in the user context, are
stored and executed, thus presenting an issue for such scenarios.Our SCCM product group has been informed of this behavior. This information is being discussed and reviewed for future updates. Unfortunately, I will not be able to give you any timeline for a patch
resolving this scenario.-
Marked as answer by
Larry.B.IT
Tuesday, March 8, 2016 12:39 PM
-
Marked as answer by
- Remove From My Forums
-
Question
-
I’m trying to run a powershell script that access the VSTS API and it works ok if I run it in PowerShell ISE.
But I need to add the script as a task in the release process in VSTS and I’m getting
a security error. The error I got is:
AuthorizationManager check failed. CategoryInfo :
SecurityError: (:) [], PSSecurityException FullyQualifiedErrorId : UnauthorizedAccess
The script just get the work items from an specific build and then saves those
work items to a file like follows
function Invoke-ServiceGetBuilds($headers) { Invoke-RestMethod -Uri https://myaccount.visualstudio.com/DefaultCollection/My-Software/_apis/build/builds?api-version=2.0"&"minFinishTime=2016-12-01"&"buildNumber=master_*"&"resultFilter=succeeded -headers $headers -Method Get return $result } $username = "usr" $password = "pass*" $filePath = "file.html" $releaseName = "" $basicAuth = ("{0}:{1}" -f $username, $password) $basicAuth = [System.Text.Encoding]::UTF8.GetBytes($basicAuth); $basicAuth = [System.Convert]::ToBase64String($basicAuth) $headers = @{Authorization=("Basic {0}" -f $basicAuth)} $returnedBuilds = Invoke-ServiceGetBuilds $headers #...create the object and the array of workitems HTML ConvertTo-Html -body "<h2>Build Information and WI</h2> $workItemsHtml" -Title "Release Report" | Out-File $filePathThe script works well if I run it from PowerShell ISE but fails in VSTS Any idea on how to fix this issue
Luis Diego Rojas. http://icomparable.blogspot.com
MCP, MCTS Biztalk Server, MCTS WCF
-
Edited by
Thursday, December 8, 2016 6:18 PM
-
Edited by
Hi All,
I’m having a problem with my Powershell. When I load either the ISE or command window I get the following error.
AuthorizationManager check failed.
At line:0 char:0
$Error[0] | select * gives me
Text
ErrorRecord : AuthorizationManager check failed.
Message : AuthorizationManager check failed.
StackTrace : at System.Management.Automation.AuthorizationManager.ShouldRunInternal(CommandInfo commandInfo, CommandOrigin origin, PSHost host)
at System.Management.Automation.CommandDiscovery.ShouldRun(ExecutionContext context, PSHost host, CommandInfo commandInfo, CommandOrigin commandOrigin)
at System.Management.Automation.CommandDiscovery.LookupCommandProcessor(CommandInfo commandInfo, CommandOrigin commandOrigin, Nullable`1 useLocalScope, SessionStateInternal sessionState)
at System.Management.Automation.CommandDiscovery.LookupCommandProcessor(String commandName, CommandOrigin commandOrigin, Nullable`1 useLocalScope)
at System.Management.Automation.Runspaces.Command.CreateCommandProcessor(ExecutionContext executionContext, CommandFactory commandFactory, Boolean addToHistory, CommandOrigin origin)
at System.Management.Automation.Runspaces.LocalPipeline.CreatePipelineProcessor()
at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
WasThrownFromThrowStatement : False
Data : {}
InnerException : System.Management.ManagementException: Invalid namespace
at System.Management.ManagementScope.Initialize()
at System.Management.ManagementObject.Initialize(Boolean getObject)
at System.Management.ManagementObject.Get()
at System.Management.Automation.PsUtils.GetParentProcess(Process current)
at System.Management.Automation.SecuritySupport.GetExecutionPolicy(String shellId, ExecutionPolicyScope scope)
at System.Management.Automation.SecuritySupport.GetExecutionPolicy(String shellId)
at Microsoft.PowerShell.PSAuthorizationManager.CheckPolicy(ExternalScriptInfo script, PSHost host, Exception& reason)
at Microsoft.PowerShell.PSAuthorizationManager.ShouldRun(CommandInfo commandInfo, CommandOrigin origin, PSHost host, Exception& reason)
at System.Management.Automation.AuthorizationManager.ShouldRunInternal(CommandInfo commandInfo, CommandOrigin origin, PSHost host)
TargetSite : System.Collections.ObjectModel.Collection`1[System.Management.Automation.PSObject] Invoke(System.Collections.IEnumerable)
HelpLink :
Source : System.Management.Automation
HResult : -2146233087
All of the information I’ve got about this so far tells me to check my execution policy however.
Powershell
PS:> Get-ExecutionPolicy Get-ExecutionPolicy : Invalid namespace At line:1 char:1 + Get-ExecutionPolicy + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-ExecutionPolicy], ManagementException + FullyQualifiedErrorId : System.Management.ManagementException,Microsoft.PowerShell.Commands.GetExecutionPolicyCommand
If I remove my powershell profile I don’t get an error message when starting but I do still get the error for the execution policy and I can’t run any scripts unless I copy and paste them into the ISE script pain.
Any help on this greatly appreciated as it is started to get a little annoying.