I need to protect one domain client machine from other domain users login except one domain user. ie my domain is example.com (192.168.1.1) Windows 2008 client machine is test1.example.com ( 192.168.1.7)
users name : test1 & test2
From this test1 only need permission to login to test1.example.com not for test2.
If you only want to do this for one machine, it's easy. You log into the individual machine and open local users and groups. On the command line, it's LUSRMGR.MSC. When the machine was joined to the domain, the users group automatically got "all domain users" as the default. Delete that and add the individual user that you want.
You can use Group Policy, either domain or local, to configure Deny log on locally right. This right is located under: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny Logon locally
If the user also has remote access granted to these machines, you can deny their logon through Terminal Services. This right is named Deny log on through Terminal Services.
You may wish to maintain user groups instead of individual users. This can make updating the listing easier than editing domain/local Group Policy.