Follow these best practices for setting up accounts in your IT department.
1a. See the following:
Domain Admin – Can only login to DC’s
Enterprise Admin – If you have more than one domain, this needs to be separate.
Server Admin – Only servers
Workstation Admin – Only workstations
Normal Account – Day to day
(Preference) This is how I name them:
If you want to ONLY allow a certain group:
Computer Configuration\Policies\Security Settings\Local Policies\User Rights Assignment\Allow Log on Locally
(Add your groups)
If you just want to deny a group (not recommended imo):
Computer Configuration\Policies\Security Settings\Local Policies\User Rights Assignment\Deny Logon Locally
NOTE: Some organizations break out the “Backup Admin” as well, but in my experience we just combine with Domain Admin for backup tasks as if you gain backup rights to AD you can extract anything you want from AD!