Forum Discussion

MauryJ's avatar
MauryJ
Copper Contributor
Jun 26, 2024

AD Connect and powershell execution policy requirement

Hello,

 

We recently setup Azure/Entra AD Connect to sync our on prem AD accounts with 365. While the setup went through successfully, and the sync status in 365 was green, I started getting notifications about directory sync being paused. Then in the 365 admin there is a warning about directory sync not being completed after some period.

 

Looking in the Application Event log on our sync server, I saw Event 905's - Directory Synchronization:

 

Scheduler::SchedulerThreadMain : An error occured and scheduler run failed to perform all operation.

 System.Management.Automation.CmdletInvocationException: File C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1 cannot be loaded because running scripts is disabled on this system....

 

I changed the Powershell execution policy to RemoteSigned (from the default of Restricted), and that cleared up errors in event log, and synching seemed to start working normally.

 

So my question is -- Do I really need to have the PS executionpolicy on RemoteSigned machine wide for Connect to function properly? I checked the properties of the Powershell module referenced in the error message, AADConnector.psm1, and it not marked as blocked.

 

Thanks

 

  • Hi MauryJ,

     

    Yes, the PowerShell execution policy does play a role in the functionality of Azure/Entra AD Connect. Here’s a detailed explanation and the best practices for configuring the execution policy to ensure your directory synchronization works smoothly.

    Understanding PowerShell Execution Policies

    PowerShell execution policies are designed to prevent the execution of scripts that could potentially harm your system. The default policy is usually Restricted, which does not allow any scripts to run.

    Why RemoteSigned for AD Connect?

    Azure/Entra AD Connect uses PowerShell scripts for its operations, including the script mentioned in your error (AADConnector.psm1). Setting the execution policy to RemoteSigned ensures that scripts downloaded from the internet must be signed by a trusted publisher before they can be run. This is generally a safe practice because it allows locally created scripts to run without being signed, while still protecting your system from potentially malicious remote scripts.

    Setting Execution Policy to RemoteSigned

    To ensure Azure/Entra AD Connect functions properly, you need to set the execution policy to RemoteSigned. Here’s how you can do it:

    1. Open PowerShell as Administrator:

      • Right-click on the PowerShell icon and select Run as Administrator.
    2. Set Execution Policy:

     

    Set-ExecutionPolicy RemoteSigned -Scope LocalMachine -Force

     

    This command sets the execution policy to RemoteSigned for the entire machine. The -Force parameter ensures that the command runs without prompting for confirmation.

     

     

    3. Verify Execution Policy

     

    Get-ExecutionPolicy -List

     

     

    1. This command will display the execution policies for each scope. Ensure that LocalMachine is set to RemoteSigned.

    Best Practices

    1. Review Script Sources: Ensure that any scripts downloaded from the internet are from trusted sources and are properly signed.

    2. Monitor Execution Policy Changes: Regularly check your execution policy to ensure it hasn’t been inadvertently changed.

    3. Least Privilege Principle: While RemoteSigned is necessary for AD Connect, avoid setting the execution policy to Unrestricted, which could expose your system to security risks.

     

    Conclusion

    Setting the PowerShell execution policy to RemoteSigned is required for Azure/Entra AD Connect to function properly, as it allows necessary scripts to run while still maintaining a level of security. By following the steps above, you can ensure that your directory synchronization continues to work without interruption.

     

    If you have any further questions or need additional assistance, feel free to ask.

    Please click Mark as Best Response & Like if my post helped you to solve your issue.

    This will help others to find the correct solution easily. It also closes the item.

    If the post was useful in other ways, please consider giving it Like.

     

  • DTB's avatar
    DTB
    Iron Contributor

    Hi MauryJ,

     

    Yes, the PowerShell execution policy does play a role in the functionality of Azure/Entra AD Connect. Here’s a detailed explanation and the best practices for configuring the execution policy to ensure your directory synchronization works smoothly.

    Understanding PowerShell Execution Policies

    PowerShell execution policies are designed to prevent the execution of scripts that could potentially harm your system. The default policy is usually Restricted, which does not allow any scripts to run.

    Why RemoteSigned for AD Connect?

    Azure/Entra AD Connect uses PowerShell scripts for its operations, including the script mentioned in your error (AADConnector.psm1). Setting the execution policy to RemoteSigned ensures that scripts downloaded from the internet must be signed by a trusted publisher before they can be run. This is generally a safe practice because it allows locally created scripts to run without being signed, while still protecting your system from potentially malicious remote scripts.

    Setting Execution Policy to RemoteSigned

    To ensure Azure/Entra AD Connect functions properly, you need to set the execution policy to RemoteSigned. Here’s how you can do it:

    1. Open PowerShell as Administrator:

      • Right-click on the PowerShell icon and select Run as Administrator.
    2. Set Execution Policy:

     

    Set-ExecutionPolicy RemoteSigned -Scope LocalMachine -Force

     

    This command sets the execution policy to RemoteSigned for the entire machine. The -Force parameter ensures that the command runs without prompting for confirmation.

     

     

    3. Verify Execution Policy

     

    Get-ExecutionPolicy -List

     

     

    1. This command will display the execution policies for each scope. Ensure that LocalMachine is set to RemoteSigned.

    Best Practices

    1. Review Script Sources: Ensure that any scripts downloaded from the internet are from trusted sources and are properly signed.

    2. Monitor Execution Policy Changes: Regularly check your execution policy to ensure it hasn’t been inadvertently changed.

    3. Least Privilege Principle: While RemoteSigned is necessary for AD Connect, avoid setting the execution policy to Unrestricted, which could expose your system to security risks.

     

    Conclusion

    Setting the PowerShell execution policy to RemoteSigned is required for Azure/Entra AD Connect to function properly, as it allows necessary scripts to run while still maintaining a level of security. By following the steps above, you can ensure that your directory synchronization continues to work without interruption.

     

    If you have any further questions or need additional assistance, feel free to ask.

    Please click Mark as Best Response & Like if my post helped you to solve your issue.

    This will help others to find the correct solution easily. It also closes the item.

    If the post was useful in other ways, please consider giving it Like.

     

Resources