I think you are better off using the Windows Security Policy (either local or AD based) to achieve this.
Locally, use secpol.msc > Local Policies > User Rights Assignment > Deny Log On Locally, and add the users/groups you want to block,
Then monitor AD or Local Users for changes using SCSP IDS. For added security, block write access to the Registry using IPS, to prevent the security policy from being changed and do not allow windows\system32\mmc.exe to run so you can get an event if anyone attempts to thwart your lockdown.