How to manage users with interactive logon rights?

Can anyone tell me how I can manage(or if not possible, monitor) programatically the people who are allowed to interactively logon(that is through actual physical access) on a windows ma开发者_开发问答chine attached to an active directory architecture? Something in BCL/FCL is preferred but COM interop/WMI is also fine.

I found a COM API call that can be used to monitor and/or manage users with interactive logon rights.
LsaEnumerateAccountsWithUserRight can monitor people with interactive logon rights while LsaAddAccountRights, LsaEnumerateAccountRights and LsaRemoveAccountRights can add and remove such privileges.

Not sure how to do it programmatically. You can do it with the NTRights.exe tool as:

NTRights -u [username] +r SeDenyInteractiveLogonRight

To deny a user the right to log on interactively. So if you can't find a better solution you could possibly call that tool from your application.