Excuse me, if anyone has asked before – tried to search, maybe I missed it.
Anyway, I have to
1a) Set a domain-wide policy to deny access to this computer from the network
1b) Include the local "administrator" of each computer in this policy
I am amazed that only domain users are displayed on the domain controller >> Group Policy Management while the policies are changed in the "Select Users and Computers" phase. Also a scope change is not possible – only the local domain controller, the entire domain or the forest can be searched
I did some research on limited users. I'm sure I can use this tool to override user group memberships. However, I can not automate adding / centrally managing the local administrator of each PC to the Deny Login policy.
I would appreciate any ideas or alternative suggestions on this topic. This may need to be explained to the management, or even care must be taken to make this the default for new computers