how to restrict login access to AD user/group from domain joined Linux servers

 for restrict the user login you may have to modify on access.conf file

#vi /etc/security/access.conf

//add below lines

+ : (boobi\testgroup) : ALL
+ : root : ALL
- : ALL : ALL

/this will restrict login access to all user and group except testgroup and root account

and make sure pam_access.so moudle should be in /etc/pam.d/system-auth and /etc/pam.d/password-auth

//like below

account required pam_access.so
account required pam_unix.so broken_shadow
if you want to the same restriction in single user then you may use below line instead of group
+ : testuser:ALL 

example system-auth
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
account     required      pam_access.so
account     required      pam_unix.so broken_shadow
example password-auth
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
account     required      pam_access.so
account     required      pam_unix.so broken_shadow