Active Directory

How to restrict users from logging on to computers on a single domain network?

It was:

The situation is as follows (everything is organized on virtual machines):
We have the Main-First server (and the Main-Double server duplicating it) and we have a certain number of subdomain controllers on this server;
Everything is organized through Active Directory. The controllers are running Windows Server 2008 R2.
It is necessary:
​​1. To organize the possibility for administrators to create subdomain accounts for users/computers in subdomain controllers subject to them;
2. Deny the ability for users to log in from one subdomain to others, i.e. having the moskva.kontora.ru subdomain and the user Vasya Pupkin ([email protected]) in it, prohibit him and others like him from logging into computers (if he is physically present there) of the saratov.kontora.ru subdomain
3. Make it so that, if necessary, it is possible to manually allow such an entrance by the Administrator of the forest controller;

New :
Forest: kontora.ru
Domain controllers:
main-f.kontora.ru - main main - virtualka
main-d.kontora.ru - main backup - virtualka
moskva-f.kontora.ru - Moscow office - main - virtualka
moskva- d.kontora.ru - Moscow office - backup - virtual machine norilsk.kontora.ru
- Norilsk office - physical Questions: 1. What is the best way to add office servers: as a domain controller or as a subdomain controller?! 2. How to transfer computer accounts? 3. How to transfer user groups?
4. How and what kind of group policies to set up in such a way that the Administrator of the Moscow office could steer only Moscow users and computers (creation, modification and management), while not being able to change something in other cities?
ZYZH I've already read so much on AD and group policies that it's a mess in my head and, to be honest, I'm already confused in everything ... =)