Question : LDAP, Active Directory - Very specific priviledges

I'm fairly new to alot of this stuff, so bare with me here.  Here's our configuration:

2 physical machines, VMWare ESXi
Several Windows 2008 r2 VMs, including an AD server
2 Red Hat VMs

Both the Red Hat VMs and the Windows VMs have joined the AD domain, and leverage AD authentication for login.  Also have JIRA and SVN configured to use LDAP authentication.  Everything works as expected, so far so good.

Now, we have an offshore team working for us, and I want to grant them access to a specific SVN project and a specific JIRA project.  However, I don't want them to have access to any other machine on the network.

So, from everything that I've read, here's what I've gathered.  I want to add them to a specific AD group (done) and grant them access to an SVN project with the following Apache configuration:

<Location "/OffshoreProject/">
   Require ldap-group CN=Offshore-Developers,CN=Users,DC=domain,DC=local
</Location>

Again, so far so good.  They have access to this but not any other SVN project.  However, they also have access to login to any computer on the network.  So, I created a separate group in AD called "Deny Login" and added the users.  I then edited the default domain GPO, and flipped every "Deny Login *" switch I could find.  I've tried every on/off combination imaginable.  However, now if I leave them in the "Deny Login" gorup, they cannot authenticate at all through Apache.  If I pull them out, it works but they can login to the machines on my network.  Any ideas on what I'm doing wrong here?  Am I missing something?

Thanks in advance..

Answer : LDAP, Active Directory - Very specific priviledges

Syntax check:

$mysqlqry =
    "UPDATE bookings_items SET desc_en = " .
    "(SELECT CONCAT('#',prty_id,':   ',property.prty_title) FROM property " .
          "WHERE bookings_items.id_ref_external = property.prty_id) " .
    "WHERE id_ref_external = $_POST[new_id]";