Create user as per usual, then:
1. Create new security group
2. Add user to security group
3. Group Policy Management: Create new Group Policy Object linked at root of domain
4. Right Click and choose edit.
Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
5. Double-click “Deny log on locally”
6. Click “Add User or Group” and add the group you created in step 1. Apply.
7. Wait for Group Policy synchronisation or gpupdate /force on computers.
Source: ServerFault