Here is my little follow-up to the blog post yesterday.
I have moved the machine with the installation of MBCA and BPA into an OU where the inheritance of the domain policies is blocked. I have checked the PS execution policy with Get-Executionpolicy –list . Every scope was set to undefined except UserPolicy…. I forgot to place my test account into the test OU without the policy inheritance.
Now, that I had a clean system, I could run the MBCA without any problems and therefore the SQL Server 2k8 R2 BPA as well. But once I have enabled a policy setting, either for MachinePolicy or UserPolicy, MBCA failed again. Keep in mind that in the environment I want to use the MBCA/BPA, the policy regarding the PS ExecutionPoliciy is set to unrestricted.
Another problem was trying to scan a remote machine with the MBCA. If you run the MBCA locally it will call the MBCA on the target machine which then loads the BPA there. In my case it has failed since the target server also gets the ExecutionPolicy setting via a group policy.
What I will do next is to check if this behaviour still occurs if the ExecutionPolicy is set to RemoteSigned by a group policy.
And a last little hint: If you run the BPA through Powershell and you want to scan a SQL server instance, either local or remote, use an account which is a direct member of the sysadmin group. I used an account which is member of a special domain group and this group then is member of sysadmin-group on the sql servers. In this scenario I got only one error telling me that the account I´m using is no member of sysadmin group….