Here is the scenario, we have via GPO all PCs locked down to require AllSigned.
The help desk however needs to things that require the AD Module. When they try to load it they get the expected "blah blah ActiveDirectory.Types.ps1xml is not digitally signed".
We do not want them to be able to run whatever, if I sign the AD Module for them though, they can pretty much run whatever they want to.
Now the question, is there any other way (e.g. call the AD module from a signed script) to load the AD module without giving them access to run whatever they want to?
The 'plan' is that they give us what they want to run, if it looks good, we sign the script and it will run fine.
The problem is that they are trying to work around it by calling powershell.exe from a /bat file which lets them run it like they's would have typed it in the powershell cli.
I...