I might be missing something here, but how do the GPOs log a user out if they are in multiple groups? Or are you saying one will "default" if they are in multiple groups? That's a bit tricky - the "default" user settings are defined by the user's AD security group.
On 4 October 2013 00:54, Aakash Shah <[email protected]> wrote: > Not to take anything away from the Powershell side of things, but the > following could help address the problem from a GP perspective (it does > make an assumption that one of the areas is the default, and so this may > not meet your requirements if this is not acceptable).**** > > ** ** > > 3 Group Policies:**** > > **1. **Area1GP **** > > **2. **Area2GP**** > > **3. **Area3GP**** > > ** ** > > And it appears that you have 3 security groups:**** > > **1. **Area1SG**** > > **2. **Area2SG**** > > **3. **Area3SG**** > > ** ** > > Set up Area1GP, Area2GP and Area3GP to apply to same OU (it sounds like > this is already being done due to the client not allowing separation by OU). > **** > > ** ** > > Now, you need to determine which of the 3 areas should be the “default” in > the event of a user being added to more than 1 group. In this example, I > am assuming that Area1GP is the “default” GP that should apply in the event > that the user is part of more than 1 Area security group.**** > > ** ** > > Set up security filtering as such:**** > > **1. **Set up Area1GP for security filtering such that it has:**** > > **a. **“Allow” “Apply Group Policy” permission to Area1SG.**** > > **2. **Set up Area2GP for security filtering such that it has:**** > > **a. **“Allow” “Apply Group Policy” to Area2SG.**** > > **b. **“Deny” “Apply Group Policy” to Area1SG and Area3SG.**** > > **3. **Set up Area3GP for security filtering such that it has:**** > > **a. **“Allow” “Apply Group Policy” to Area3SG.**** > > **b. **“Deny” “Apply Group Policy” to Area1SG and Area2SG.**** > > ** ** > > You may already be doing this, but you can also consider adding a > background wallpaper for each Area so that the people know what area > settings they received. The tool > BgInfo<http://technet.microsoft.com/en-us/sysinternals/bb897557.aspx>could > potentially be helpful here too if you don’t want to create your own > wallpapers.**** > > ** ** > > While the “Deny” setting should be used sparingly, I think it may be > appropriate here given the constraints about not being able to use separate > OUs. **** > > ** ** > > -Aakash Shah**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *James Rankin > *Sent:* Thursday, October 3, 2013 5:32 AM > *To:* [email protected] > *Subject:* [NTSysADM] PowerShell (again)**** > > ** ** > > Is it possible to use PowerShell to display a message to a user and then > log them out? My scenario is this:-**** > > ** ** > > Got to deliver three distinct desktops from one single image. The access > to the desktops is controlled via AD group, so if you are in the Warehouse > group, you get the Warehouse desktop. Now, for obvious reasons, I'd sooner > have separated this by OU, because a user can only ever be in one OU, but > the client doesn't want to do it this way. So if, for whatever reason, a > user is erroneously added to two of the AD security groups, we want to halt > the logon, display a message, and log the user out. Otherwise they will get > a hotch-potch of settings which will look messy and behave in ways we can't > predict, as two flavours of desktop try to override each other.**** > > ** ** > > The bit to check whether a user is in more than one of the three groups I > can handle :-) It's the next bit giving me issues. I can't really find any > reliable way to do the message box by Googling, and although I could do it > with VBScript that feels like admitting defeat. Is there a good way to > deliver a message box (just with an "OK" response) in PS?**** > > ** ** > > To log them out, I am assuming I could just call the Windows logoff.exe > when the message box is gone. Unless there's a way to do logoffs native to > PS?**** > > ** ** > > Thanks for the continued help with my battle to learn PS properly :-(**** > > ** ** > > Cheers,**** > > ** ** > > > **** > > ** ** > > -- > *James Rankin* > Technical Consultant (ACA, CCA, MCTS) > http://appsensebigot.blogspot.co.uk**** > -- *James Rankin* Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk
