I blogged up my solution to this issue http://appsensebigot.blogspot.co.uk/2013/10/case-study-ensuring-user-doesnt-have.html - although as it uses EM to do most of the work I'm not sure how much value this has to the NTSysAdm field, but it's there anyway :-)
cheers, JR On 7 October 2013 07:47, James Rankin <kz2...@googlemail.com> wrote: > That's definitely a possibility, to use the groups as security filters on > GPOs with the settings in, thanks. > > I've actually managed to get this working simply by using some custom > group checks in AppSense Environment Manager (the Condition is only > satisfied if the user *is *a member of Group A, and *not *a member of > Groups B and C, mixed and matched as necessary). Then the bit of PowerShell > simply pops up the message, and then it calls logoff.exe, seems to work > nice and smoothly. > > Thanks for all the input. > > Cheers, > > > > JR > > > On 4 October 2013 22:55, Aakash Shah <aakash.s...@uci.edu> wrote: > >> Correct, the GP itself would not log off automatically (although you >> could be a way to engineer this using the HKCU run key and >> shutdown.exe/script, but not using native GP methods afaik). **** >> >> ** ** >> >> Yes, what I was referring to is that one of the groups would be set as >> the “default” if the user belonged to multiple groups, and the user would >> get these default settings if they belonged to multiple groups. However, >> it sounds like this may not be an acceptable solution in your environment. >> **** >> >> ** ** >> >> Another option (if you are still looking at other options) is to >> potentially combine the PowerShell approach you are looking at with the >> “Apply” “Deny” approach I mentioned below since it will prevent the >> combination of GPs from multiple areas that you found causes unpredictable >> behavior. And if you don’t want any of the area GPs to apply if a user >> belongs to multiple area security groups, then you can set the security >> filtering for AreaSG1 in the example below such that it has “Deny” >> “Apply Group Policy” to Area2SG and Area3SG. So if you decide to consider >> this approach, you would:**** >> >> **1. **Set up Area1GP for security filtering such that it has: >> **** >> >> **a. **“Allow” “Apply Group Policy” permission to Area1SG.**** >> >> **b. **“Deny” “Apply Group Policy” to Area2SG and Area3SG.**** >> >> **2. **Set up Area2GP for security filtering such that it has: >> **** >> >> **a. **“Allow” “Apply Group Policy” to Area2SG.**** >> >> **b. **“Deny” “Apply Group Policy” to Area1SG and Area3SG.**** >> >> **3. **Set up Area3GP for security filtering such that it has: >> **** >> >> **a. **“Allow” “Apply Group Policy” to Area3SG.**** >> >> **b. **“Deny” “Apply Group Policy” to Area1SG and Area2SG.**** >> >> ** ** >> >> -Aakash Shah**** >> >> ** ** >> >> *From:* listsad...@lists.myitforum.com [mailto: >> listsad...@lists.myitforum.com] *On Behalf Of *James Rankin >> *Sent:* Friday, October 4, 2013 1:24 AM >> *To:* ntsysadm@lists.myitforum.com >> >> *Subject:* Re: [NTSysADM] PowerShell (again)**** >> >> ** ** >> >> I might be missing something here, but how do the GPOs log a user out if >> they are in multiple groups? Or are you saying one will "default" if they >> are in multiple groups? That's a bit tricky - the "default" user settings >> are defined by the user's AD security group.**** >> >> ** ** >> >> On 4 October 2013 00:54, Aakash Shah <aakash.s...@uci.edu> wrote:**** >> >> Not to take anything away from the Powershell side of things, but the >> following could help address the problem from a GP perspective (it does >> make an assumption that one of the areas is the default, and so this may >> not meet your requirements if this is not acceptable).**** >> >> **** >> >> 3 Group Policies:**** >> >> 1. Area1GP **** >> >> 2. Area2GP**** >> >> 3. Area3GP**** >> >> **** >> >> And it appears that you have 3 security groups:**** >> >> 1. Area1SG**** >> >> 2. Area2SG**** >> >> 3. Area3SG**** >> >> **** >> >> Set up Area1GP, Area2GP and Area3GP to apply to same OU (it sounds like >> this is already being done due to the client not allowing separation by OU). >> **** >> >> **** >> >> Now, you need to determine which of the 3 areas should be the “default” >> in the event of a user being added to more than 1 group. In this example, >> I am assuming that Area1GP is the “default” GP that should apply in the >> event that the user is part of more than 1 Area security group.**** >> >> **** >> >> Set up security filtering as such:**** >> >> 1. Set up Area1GP for security filtering such that it has:**** >> >> a. “Allow” “Apply Group Policy” permission to Area1SG.**** >> >> 2. Set up Area2GP for security filtering such that it has:**** >> >> a. “Allow” “Apply Group Policy” to Area2SG.**** >> >> b. “Deny” “Apply Group Policy” to Area1SG and Area3SG.**** >> >> 3. Set up Area3GP for security filtering such that it has:**** >> >> a. “Allow” “Apply Group Policy” to Area3SG.**** >> >> b. “Deny” “Apply Group Policy” to Area1SG and Area2SG.**** >> >> **** >> >> You may already be doing this, but you can also consider adding a >> background wallpaper for each Area so that the people know what area >> settings they received. The tool >> BgInfo<http://technet.microsoft.com/en-us/sysinternals/bb897557.aspx>could >> potentially be helpful here too if you don’t want to create your own >> wallpapers.**** >> >> **** >> >> While the “Deny” setting should be used sparingly, I think it may be >> appropriate here given the constraints about not being able to use separate >> OUs. **** >> >> **** >> >> -Aakash Shah**** >> >> **** >> >> *From:* listsad...@lists.myitforum.com [mailto: >> listsad...@lists.myitforum.com] *On Behalf Of *James Rankin >> *Sent:* Thursday, October 3, 2013 5:32 AM >> *To:* NTSysADM@lists.myitforum.com >> *Subject:* [NTSysADM] PowerShell (again)**** >> >> **** >> >> Is it possible to use PowerShell to display a message to a user and then >> log them out? My scenario is this:-**** >> >> **** >> >> Got to deliver three distinct desktops from one single image. The access >> to the desktops is controlled via AD group, so if you are in the Warehouse >> group, you get the Warehouse desktop. Now, for obvious reasons, I'd sooner >> have separated this by OU, because a user can only ever be in one OU, but >> the client doesn't want to do it this way. So if, for whatever reason, a >> user is erroneously added to two of the AD security groups, we want to halt >> the logon, display a message, and log the user out. Otherwise they will get >> a hotch-potch of settings which will look messy and behave in ways we can't >> predict, as two flavours of desktop try to override each other.**** >> >> **** >> >> The bit to check whether a user is in more than one of the three groups I >> can handle :-) It's the next bit giving me issues. I can't really find any >> reliable way to do the message box by Googling, and although I could do it >> with VBScript that feels like admitting defeat. Is there a good way to >> deliver a message box (just with an "OK" response) in PS?**** >> >> **** >> >> To log them out, I am assuming I could just call the Windows logoff.exe >> when the message box is gone. Unless there's a way to do logoffs native to >> PS?**** >> >> **** >> >> Thanks for the continued help with my battle to learn PS properly :-(**** >> >> **** >> >> Cheers,**** >> >> **** >> >> >> **** >> >> **** >> >> -- >> *James Rankin* >> Technical Consultant (ACA, CCA, MCTS) >> http://appsensebigot.blogspot.co.uk**** >> >> >> >> **** >> >> ** ** >> >> -- >> *James Rankin* >> Technical Consultant (ACA, CCA, MCTS) >> http://appsensebigot.blogspot.co.uk**** >> > > > > -- > *James Rankin* > Technical Consultant (ACA, CCA, MCTS) > http://appsensebigot.blogspot.co.uk > -- *James Rankin* Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk
