Allow AD users in a specific group to logon only on specified computers
Get the properties of their user account in Active Directory Users & Computers. Click on the Account tab. Click on the Log On To... button. Click on The Following Computers and then click Add and to add as many computers as you wish them to be able to connect to. Click OK to save the change. Works great.
I would do this with a group policy. It's much more scalable than the solution icky2000 suggested.
You would set a policy that denies local login to every machine (Computer Settings -> Security Settings -> Local Rights Assignment -> Deny Logon Locally)
Then set a higher precedence policy that removes the group from the above policy, this can be done with security filtering, or via different OU's for the restricted and non restricted computers. My personal preference would be for the Multi-container approach.