I am not exactly sure how to do this, so it might be a bit of hit or miss on your part until you get the right configuration.
Make the user a member of the administrators group on the local server, then set the following through group policy on the machine:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment:
Place the user account in the following policies:
Deny Logon Locally
Deny Logon Through Terminal Services
I am not sure if this will work, but you might give it a go and see how it works.
P.S., don't forget to run a "gpupdate /force" on the server after changing the group policy.