Is there truely no replacement for the old Restrict Login policy? I know
you can restrict under the dynamic local user policy, but that is only
by workstation object. Is there no way to select workstations and
blacklist/whitelist users any more? Doing it by user policy package
is... not convenient.

Some googling suggests that I am not the only one frustrated by this,
but I have seen no workaround other than some ugly login script magic.