Denying logon privilagesLocked
I work in a school district. We have a Windows server 2003 Active Directory domain. We have a few hundred laptops running Windows XP that the students use. Last year the students wreaked havoc on them, i.e. changing desktops, deleting and changing icons, deleting folders, etc. During this summer we have implemented a total lockdown of the laptops, (and PCs) through active Directory using Mandatory Profiles and Group Policies. But we did this for only a hand full of users that we want to use the laptops. Is there a way of denying, certain domain users logon privileges to the laptops? And if so, can it be done through active directory, or does it have to be done on the local machine?