There are a lot of ways to do this. I might take a look at using the 'deny
logon locally' solution. It can be found here:
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment
Use a security group and make that one specific user account object the only
member of that group. Then apply the Deny Logon Locally right to that
group. You would create an OU and move all of the computer account objects
( except the one where he/she is supposed to be able to use ) into that OU.
Then create the GPO and link it to that OU.
This might be one way to do this.
If moving all of the computer account objects EXCEPT ONE to a separate OU
causes a problem for you then you might want to take a look at Group
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP