In tip 119, we prevented junior administrators from editing the registry. There is no way to remove the Logon locally user right from the administrators group. You can prevent them from logging on locally by using NFTS permissions on the files listed at:
HKEY_LOCAL_MACHINE\HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Userinit
For each of these files (in %SystemRoot%\System32), grant the specific UserName (not a group) No Access. Make sure that at least one Admin Account can logon locally. The easiest way is to run a batch ( JSIjr "Username"):
cacls %SystemRoot%\System32\nddagnt.exe /E /D "%1"
cacls %SystemRoot%\System32\userinit.exe /E /D "%1"
cacls %SystemRoot%\System32\win.com /E /D "%1"
cacls %SystemRoot%\System32\wowexec.exe /E /D "%1"
exit