Here is what you can do.

Ad your "remote access group" to users group.
in Local security policy in "deny logon localy" add "remote access group"

What do you achieve?
when you add user to "remote access group" that user has all rights like ordinary user but it cant not log on localy
Why bother with all this?
it is good practice that you add permitions to groups (especialy if you have a lot of permitions to add/edit). So you make all security job once, and later just move users from one to another group.

Imagine that you have all this set up for one user.. then you decide to delete that user... after a while you have to bring back that user, or make another with same security. Is it easier to add new user to already prepared group or do all work all over again?

This all maybe sounds like "why should I bother with all grouping things" but you never know what future brings. One day you could be in position that you administer 10 computers with 30 users??? or maybie more