You’d think that “Deny logon locally” would do it right? Even the documentation suggests that this is the case. But of course you can’t apply that policy to administrator account (presumably because any user called ‘administrator’ must be dumb), so it’s completely useless.
The perfectly obvious and not at all in any way obfuscated way to do it is actually to add the user in question to ‘Remote Operators’ group.
Wonderfully clear isn’t it. Windows I mean.