# S-1-5-13     = Terminal Server Users
# S-1-5-14     = Remote Interactive Logon
# S-1-5-32-555 = Remote Desktop Users
# See https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab for a list of well-known SIDs
if ( [bool][Security.Principal.WindowsIdentity]::GetCurrent( ).Groups -match 'S-1-5-13' -or 'S-1-5-14' -or '1-5-32-555' ) {
	Write-Error "This login script must NOT be executed by Terminal Server or Remote Desktop users." -ErrorAction Stop
}