Correct, the GP itself would not log off automatically (although you could be a way to engineer this using the HKCU run key and shutdown.exe/script, but not using native GP methods afaik).
Yes, what I was referring to is that one of the groups would be set as the "default" if the user belonged to multiple groups, and the user would get these default settings if they belonged to multiple groups. However, it sounds like this may not be an acceptable solution in your environment. Another option (if you are still looking at other options) is to potentially combine the PowerShell approach you are looking at with the "Apply" "Deny" approach I mentioned below since it will prevent the combination of GPs from multiple areas that you found causes unpredictable behavior. And if you don't want any of the area GPs to apply if a user belongs to multiple area security groups, then you can set the security filtering for AreaSG1 in the example below such that it has "Deny" "Apply Group Policy" to Area2SG and Area3SG. So if you decide to consider this approach, you would: 1. Set up Area1GP for security filtering such that it has: a. "Allow" "Apply Group Policy" permission to Area1SG. b. "Deny" "Apply Group Policy" to Area2SG and Area3SG. 2. Set up Area2GP for security filtering such that it has: a. "Allow" "Apply Group Policy" to Area2SG. b. "Deny" "Apply Group Policy" to Area1SG and Area3SG. 3. Set up Area3GP for security filtering such that it has: a. "Allow" "Apply Group Policy" to Area3SG. b. "Deny" "Apply Group Policy" to Area1SG and Area2SG. -Aakash Shah From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Friday, October 4, 2013 1:24 AM To: [email protected] Subject: Re: [NTSysADM] PowerShell (again) I might be missing something here, but how do the GPOs log a user out if they are in multiple groups? Or are you saying one will "default" if they are in multiple groups? That's a bit tricky - the "default" user settings are defined by the user's AD security group. On 4 October 2013 00:54, Aakash Shah <[email protected]<mailto:[email protected]>> wrote: Not to take anything away from the Powershell side of things, but the following could help address the problem from a GP perspective (it does make an assumption that one of the areas is the default, and so this may not meet your requirements if this is not acceptable). 3 Group Policies: 1. Area1GP 2. Area2GP 3. Area3GP And it appears that you have 3 security groups: 1. Area1SG 2. Area2SG 3. Area3SG Set up Area1GP, Area2GP and Area3GP to apply to same OU (it sounds like this is already being done due to the client not allowing separation by OU). Now, you need to determine which of the 3 areas should be the "default" in the event of a user being added to more than 1 group. In this example, I am assuming that Area1GP is the "default" GP that should apply in the event that the user is part of more than 1 Area security group. Set up security filtering as such: 1. Set up Area1GP for security filtering such that it has: a. "Allow" "Apply Group Policy" permission to Area1SG. 2. Set up Area2GP for security filtering such that it has: a. "Allow" "Apply Group Policy" to Area2SG. b. "Deny" "Apply Group Policy" to Area1SG and Area3SG. 3. Set up Area3GP for security filtering such that it has: a. "Allow" "Apply Group Policy" to Area3SG. b. "Deny" "Apply Group Policy" to Area1SG and Area2SG. You may already be doing this, but you can also consider adding a background wallpaper for each Area so that the people know what area settings they received. The tool BgInfo<http://technet.microsoft.com/en-us/sysinternals/bb897557.aspx> could potentially be helpful here too if you don't want to create your own wallpapers. While the "Deny" setting should be used sparingly, I think it may be appropriate here given the constraints about not being able to use separate OUs. -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of James Rankin Sent: Thursday, October 3, 2013 5:32 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] PowerShell (again) Is it possible to use PowerShell to display a message to a user and then log them out? My scenario is this:- Got to deliver three distinct desktops from one single image. The access to the desktops is controlled via AD group, so if you are in the Warehouse group, you get the Warehouse desktop. Now, for obvious reasons, I'd sooner have separated this by OU, because a user can only ever be in one OU, but the client doesn't want to do it this way. So if, for whatever reason, a user is erroneously added to two of the AD security groups, we want to halt the logon, display a message, and log the user out. Otherwise they will get a hotch-potch of settings which will look messy and behave in ways we can't predict, as two flavours of desktop try to override each other. The bit to check whether a user is in more than one of the three groups I can handle :-) It's the next bit giving me issues. I can't really find any reliable way to do the message box by Googling, and although I could do it with VBScript that feels like admitting defeat. Is there a good way to deliver a message box (just with an "OK" response) in PS? To log them out, I am assuming I could just call the Windows logoff.exe when the message box is gone. Unless there's a way to do logoffs native to PS? Thanks for the continued help with my battle to learn PS properly :-( Cheers, -- James Rankin Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk -- James Rankin Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk
