I have a user on a network that has local admin rights. Other users in the office are running as Users. The problem is that this admin user is logging on other machines and installing software. Due to company politics, his boss will not tell him to stop, I am only allowed to block his access to the other machines. I looked online but couldn't find the procedure to deny access by machine to a particular user using the AD. Anyone know how to do this or can point me in the right direction.

Windows Server 2012 Domain
Windows 7 and XP Workstations