Basically Windows workstations cache the credentials and the only time it will try to authenticate is when it tries to use a network resource, at which point their network access will be denied. However, there is nothing you can do to a user account to prevent them from accessing their workstation if they are already logged on and/or are off the network. The only way to lock them out of their computer is to reboot the system or otherwise force them to authenticate to the domain controller. On that note, what about remote laptop users. Say it is a sales person with a desktop and a laptop. And they left the laptop at home, how do you prevent access? You can chose to disable cached credentials so they must always authenticate against the domain controller via a VPN or another method.