Open the Group Policy Editor:
Press the Windows key + R, type "gpedit.msc" in the Run dialog box, and press Enter.
Alternatively, navigate to the Start menu, type "gpedit.msc" in the search bar, and select the "Local Group Policy Editor" option.
Navigate to the Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment policy:
In the Group Policy Editor, navigate to the above path on the left-side panel.
Modify the "Allow log on locally" policy:
On the right-side panel, double-click the "Allow log on locally" policy.
In the policy properties, click the "Add User or Group" button.
In the "Select Users, Computers, Service Accounts, or Groups" dialog, type "Administrators" in the object name field and click "Check Names".
Ensure the "Administrators" group is highlighted, then click the "Remove" button to remove it from the list.
Click "OK" to close the dialog, then click "OK" again to close the policy properties.
Apply the policy changes:
Close the Group Policy Editor.
Open a Command Prompt as administrator and run the following command: "gpupdate /force"
Restart the computer.
After these steps, the local administrator account will no longer have the rights to log on locally to the Windows devices, improving the security of your network.