We remove a group from a GPO setup to allow local login for specific servers, however, members of that group are still able to login. We have re-checked the GPO and the verified that the group in question does not have local login privileges.
"ApplyWindowsHostAccess" is not configured in your group policy. This must be set to 'True' in order for the GPO using access control to apply correctly.
In the GPO go to Unix Settings | Quest Authentication Services | Client Configuration and set the "QAS Group Policy Configuration" so that "ApplyWindowsHostAccess" = "True".