That depends on the kind of user they are. If they are a member of a group that grants them rights on domain controllers (for example, Domain Admins) there really isn’t a way to do that. If your domain is small enough, you could specify the list of computers they are allowed to login to, excluding the domain controllers, but I think this would rapidly become unmanageable (every time you add a computer, potentially you need to update the list of computers they can login to) as well as being rendered ineffective if the users in question are domain admins (they can always come in behind you and undo it).
Now, assuming that this is not a domain admin, the ability to logon to a domain controller is defined in the Default Domain Controllers Group Policy. You can view this by right clicking on the Domain Controllers OU in Active Directory Users and Computers and selecting “Properties”. Click on the “Group Policy” tab, select the policy and click “Edit”. Navigate using the Group Policy Object Editor to the following branch:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
In the right hand window, look for either “Log on locally” or “Allow Logon Locally” (it differs depending on which version of Windows you are using). Double click on the policy and add/remove users from that list accordingly and check the box next to “Define these policy settings:” to define who will be allowed to logon locally. By default, the following accounts/groups can logon locally to domain controllers:
1. Account Operators
2. Administrators
3. Backup Operators
4. Print Operators
5. Server Operators
6. Corresponding Internet Users (IUSR_)
As always, rather than directly editing the Default Domain Controllers Group Policy, you should create a new group policy object with the settings you want. Also, be advised that changing the default settings can cause unexpected and potentially damaging results to your systems.
