There certainly is, but the procedure will depend on whether you are on a
domain or not and whether you are trying to protect only the domain
controllers or member servers.
A Group Policy Object that is Linked to a domain container (example: OU -
Organizational Unit) can help you achieve this relatively effortlessly. DCs
already have a container and GPO set up to do exactly what you describe.
You need to keep in mind that the administrator IS a member of the domain
users group. If you deny local login to all users, you'll have denied admin.
To "not allow" is not the same as "deny".
