How to Restrict PowerShell Script Execution for Standard Users

What Causes This?

PowerShell is installed by default on Windows and can run scripts that automate system changes. If execution policies are left too permissive, standard users may be able to launch unsigned or unapproved scripts, which increases the risk of malware, unauthorized changes, or abuse of built-in admin tools. In many cases, the issue comes from default settings, inconsistent Group Policy rules, or older machines where PowerShell restrictions were never reviewed.

Common Symptoms

• Standard user accounts can run .ps1 scripts without warnings
• Unknown PowerShell windows briefly appear during startup or login
• Security software reports suspicious script activity
• Users can launch automation scripts from Downloads, Desktop, or shared folders
• IT audits show weak or inconsistent PowerShell execution policies

How to Fix It Manually

1. Check the current PowerShell execution policy

   1. Press Start, type powershell.
   2. Right-click Windows PowerShell and choose Run as administrator.
   3. In the PowerShell window, run:

      Get-ExecutionPolicy -List

   4. Review the results. Pay attention to LocalMachine, CurrentUser, and any MachinePolicy or UserPolicy entries.

2. Set a stricter execution policy for the computer

   1. In the same elevated PowerShell window, run:

      Set-ExecutionPolicy RemoteSigned -Scope LocalMachine

      or, for stricter control:

      Set-ExecutionPolicy AllSigned -Scope LocalMachine

   2. Type Y and press Enter to confirm.
   3. RemoteSigned allows local scripts but blocks unsigned scripts downloaded from the internet. AllSigned requires every script to be signed.

3. Use Group Policy to enforce the setting

   1. Press Win + R, type gpedit.msc, and press Enter.
   2. Go to: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
   3. Double-click Turn on Script Execution.
   4. Set it to Enabled.
   5. Choose one of these options:
      • Allow only signed scripts
      • Allow local scripts and remote signed scripts
   6. Click Apply, then OK.
   7. This prevents users from bypassing the setting with their own per-user policy.

4. Update policy settings on the PC

   1. Press Start, type cmd.
   2. Right-click Command Prompt and choose Run as administrator.
   3. Run:

      gpupdate /force

   4. Restart the PC if prompted.

5. Verify that a standard user cannot loosen the policy

   1. Sign in with a standard user account.
   2. Open Windows PowerShell normally.
   3. Run:

      Get-ExecutionPolicy -List

   4. Confirm that MachinePolicy or LocalMachine is enforcing the restriction.
   5. If needed, test a script from the Downloads folder and confirm Windows blocks it if it is unsigned.

6. Reduce script abuse from common user-writeable folders

   1. Avoid storing approved scripts in Downloads, Desktop, or temp folders.
   2. Move approved scripts to a locked-down folder such as C:\Program Files\CompanyScripts.
   3. Adjust NTFS permissions so standard users can read scripts but not modify them.
   4. This helps prevent users from replacing trusted scripts with altered copies.

Fix It Automatically with Kudu

Kudu can help you spot risky system settings that make script abuse easier, including weak security configurations and inconsistent Windows policies. Instead of checking every machine manually, you can use Kudu to audit problem areas quickly and apply safer optimization and hardening changes with less guesswork.

Download Kudu Free →