I just created a GPO to set "Deny Log on Locally" and "Deny log on through Remote Desktop" to one AD group, and "Deny logon as a batch job" and "Deny log on as a service" to another group. I intend to put special-purpose accounts in one or both of these groups.
But when I view the "Settings" tab for this new GPO in the GPEDIT.MSC, it shows "No settings defined". And when I link the GPO to my domain, the GPRESULT shows that the GPO is not applied because it is empty !!!
I even tried adding another, completely unrelated computer policy setting so the GPO would not be empty. The "Deny logon..." settings still have no effect.
This is a very simple domain. Just one site with two DCs, both running Windows 2008 R2+SP1, Domain functional level and Forest functional level both Windows 2008 R2.