In order to remove access for any domain user to login to every computer, we normally remove domain users and the two local groups NT AUTHORITY\Authenticated Users and NT AUTHORITY\INTERACTIVE from the users group on any new computers after they have been added to the domain. So our typical setup would be to only have Domain Admins and the specific user to be logging in to that computer in the Users group. This has worked great for Windows 7, but now as we move to Windows 10, we have noticed that the two NT AUTHORITY groups are being added back in to the Users group automatically after a reboot (at minimum).

Any idea how to prevent or track what is forcing them to repopulate? I've tried changing group policy to delete the Authenticated Users (built-in) and Interactive (built-in) local groups, but this made no difference. Also would rather not rely on a script to remove them every time.