This would be great if the deny was restricted to the windows group but in my understanding this is what happens:

user A is part of windows groups G1 and G2.

G1 has a "grant connect SQL"

G2 has a "deny connect SQL"

This means that A has a grant AND a deny connect SQL.

This in turn means no access since the deny prevents connection.

But if I'm wrong, this would solve part of my problem.

The other part is still "How do I kill sessions based on their groups?"

Thanks for your answer 😎