Not to take anything away from the Powershell side of things, but the following could help address the problem from a GP perspective (it does make an assumption that one of the areas is the default, and so this may not meet your requirements if this is not acceptable).
3 Group Policies: 1. Area1GP 2. Area2GP 3. Area3GP And it appears that you have 3 security groups: 1. Area1SG 2. Area2SG 3. Area3SG Set up Area1GP, Area2GP and Area3GP to apply to same OU (it sounds like this is already being done due to the client not allowing separation by OU). Now, you need to determine which of the 3 areas should be the "default" in the event of a user being added to more than 1 group. In this example, I am assuming that Area1GP is the "default" GP that should apply in the event that the user is part of more than 1 Area security group. Set up security filtering as such: 1. Set up Area1GP for security filtering such that it has: a. "Allow" "Apply Group Policy" permission to Area1SG. 2. Set up Area2GP for security filtering such that it has: a. "Allow" "Apply Group Policy" to Area2SG. b. "Deny" "Apply Group Policy" to Area1SG and Area3SG. 3. Set up Area3GP for security filtering such that it has: a. "Allow" "Apply Group Policy" to Area3SG. b. "Deny" "Apply Group Policy" to Area1SG and Area2SG. You may already be doing this, but you can also consider adding a background wallpaper for each Area so that the people know what area settings they received. The tool BgInfo<http://technet.microsoft.com/en-us/sysinternals/bb897557.aspx> could potentially be helpful here too if you don't want to create your own wallpapers. While the "Deny" setting should be used sparingly, I think it may be appropriate here given the constraints about not being able to use separate OUs. -Aakash Shah From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Thursday, October 3, 2013 5:32 AM To: [email protected] Subject: [NTSysADM] PowerShell (again) Is it possible to use PowerShell to display a message to a user and then log them out? My scenario is this:- Got to deliver three distinct desktops from one single image. The access to the desktops is controlled via AD group, so if you are in the Warehouse group, you get the Warehouse desktop. Now, for obvious reasons, I'd sooner have separated this by OU, because a user can only ever be in one OU, but the client doesn't want to do it this way. So if, for whatever reason, a user is erroneously added to two of the AD security groups, we want to halt the logon, display a message, and log the user out. Otherwise they will get a hotch-potch of settings which will look messy and behave in ways we can't predict, as two flavours of desktop try to override each other. The bit to check whether a user is in more than one of the three groups I can handle :-) It's the next bit giving me issues. I can't really find any reliable way to do the message box by Googling, and although I could do it with VBScript that feels like admitting defeat. Is there a good way to deliver a message box (just with an "OK" response) in PS? To log them out, I am assuming I could just call the Windows logoff.exe when the message box is gone. Unless there's a way to do logoffs native to PS? Thanks for the continued help with my battle to learn PS properly :-( Cheers, -- James Rankin Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk
