Block by ad groups script
if(!context.onPrem){
trace("not onprem");
var umod = module('User');
var user = umod.GetCurrentUser();
var blocked_groups = ["<group_name_1>", "<group_name_2>"];
if (blocked_groups != null)
{
if (user.InEffectiveGroupByNames(blocked_groups)){
trace("block specified AD groups");
policy.Locked = true;
}
}
}