Executing Powershell on remove server fails when path to script is fully qualified

Question

I have two servers running Windows Server 2012 R2 on the same domain, \tt-sql.perf.corp and \tt-file.perf.corp. There's a Powershell script in a shared folder on the file server, \tt-file.perf.corp\fileshare\helloworld.ps1. I have an application on the sql server executing the following command:

powershell -NonInteractive -InputFormat None -ExecutionPolicy Bypass -Command "& '\tt-file.perf.corp\fileshare\helloworld.ps1'"

It's failing with the following error:

& : AuthorizationManager check failed. At line:1 char:3 + & '\tt-file.perf.corp\fileshare\helloworld.ps1' + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : SecurityError: (:) [], PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccess

It also fails if I change the path to use the IP address.

However, it works when the path to the script isn't fully qualified: powershell -NonInteractive -InputFormat None -ExecutionPolicy Bypass -Command "& '\tt-file\fileshare\helloworld.ps1'"

The Windows Management Instrumentation service is running on both servers. I ran Get-ExecutionPolicy on both servers as well, and both are set to Unrestricted. UAC is disabled on both servers. What's going on?

Answer 1

It seems you've already found the workaround (using the Short Name versus the FQDN), so instead I'll try to answer why you're hitting into this problem in the first place.

Some greater can be found in this blog post; effectively this is happening because when you specify the FQDN to a server, you're running afoul of one of PowerShell / Windows security features. Even though you're specifying that PowerShell should bypass the normal execution policy, running from an FQDN makes Windows believe that this file is coming from the web, and thus PowerShell wants to display a warning to you like this one:

Run only scripts that you trust. While scripts from the Internet can be
useful, this script can potentially harm your computer. Do you want to run  
\\tt-file.perf.corp\fileshare\helloworld.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"):

But it cannot, because you're running the shell in NonInteractive Mode.

---

So you have two options to resolve this, really:

1. As this blog post mentions, you could resolve the problem by making the UNC path a trusted site in IE, or use only the Short Name as you've seen (using \tt-file\ versus \tt-file.perf.corp) instead.
2. You could use Group Policy (or configure within IE if this is a one-off computer) addresses for local Intranet Zone. If this is a one-off machine, go to Internet Explorer, Tools, Internet Options, then go to the Security Tab. Click Local Intranet, Advanced, then add your FQDN here, as seen below.

If this is a setting you'll want to configure globally, specify the path just like I did above at the following location within Group Policy Management Console:

User Configuration, expand Polices > Windows settings >Internet Explorer Maintenance >Security 3. Double click Security Zones and Content Ratings, then chose Import the current security zones and privacy settings.

For more information on the Group Policy Approach, refer to this thread here on TechNet.

I hope this helps! Unfortunately I can't think of a good PowerShell way to solve this problem :).