This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory.
If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material
1) WMI Filters
Create WMI filter that will identify devices for each tier. In the article three tiers are used, domain controllers, servers and workstations. This provides a balance between security and simplification but this can easily be extended to other devices
or server types.
Create a group for each tier. This will hold the members for each tier.
3) Group Policies
Create a group policy for each tier. It should filter based on the tier type and will contain the allow/deny rules.
4) Add members to tier groups
Finally, add your dedicated DA accounts to tier 0 group, dedicated server administrators accounts to tier 1 group. Accounts will now only be able to log in locally or via RDP if they are meant for the specific tier