I just found out from our security admin that one cannot apply a local policy on an XP box to a group in Active Directory. This creates a particular challenge for us. This is what I am trying to do.
Task: Disallow most domain users from logging in to the domain on 6 individual computers.
Exceptions to this:
10 specific users whos names will change over time