What are these Execution Policies? And, how can they help me?

Greetings!

I have been writing scripts for a while but I haven't been too concerned about the scripts do since I'm only gathering information and not changing anything.  Then, I started creating scripts that create and update Active Directory accounts.  I want to make sure that the scripts don't create havoc within AD or any other part of the server.  To do this I looked to Execution Policies.

Execution policies are used to set the rules for Powershell scripts on a server.  These policies will help scripts from violating the rules.  There are six different policies:

Restricted
     This policy is the default policy set when Powershell is activated..  With Restricted, you cannot run an entire script but can run individual commands.  This policy also blocks the execution of module files (.psm1), configuration files (.ps1xml), and profile scripts (.ps1)

AllSigned
     This policy allows scripts to run on a server.  However, all scripts and configuration files need to be signed by a trusted publisher, like Verisign.  If you run a script that hasn't been classified as trusted or untrusted, you will be prompted for credentials.  This is more secure but there can be bad scripts written that have been signed.

RemoteSigned
     This is the default policy in Windows Server 2012 R2.  If you download a script from the Internet, you will need a digital signature from a trusted source.  The benefit of RemoteSigned is that scripts created on local computers do not need a digital signature.  Similar to AllSigned, dangerous scripts can still be signed.

Unrestricted
     Unsigned scripts can run (this can be dangerous).  You will be warned when you start an unsigned script from the Internet.

Bypass
     This policy lets any script run and there are no warnings or prompts.  Bypass is helpful if you are calling a script from a command line or from out of Task Scheduler.  Do not use bypass when you are running an unverified script.  Bad things can happen.


Personally, I try to never use Unrestructed, Unrestructed, or Bypass.  However, you may find a need to use one of these settings.  Just make sure you know risks of each one.