In my network, we have 2 levels of admins. Admins that can administer clients (Software, Settings etc. They are not in the "Administrators" or "Domain Admins" group but are given privileges by having their names added to the built-in administrators group via a GPO applied to only the OU with the clients) and others are full blown Domain Admins (I.E are part of the "administrators" and "domain admins" groups.)
OK, so, in my network, we have a few clients that are used by both users and admins. These clients have RSAT installed on them. This gives the standard users (I.E the "domain users" and the limited admins) the ability to add the ADUC snap in to mmc and view the AD structure and view all the user info. I want to limit certain system32 apps (things like mmc, gpmc, etc.) to only be able to be run if the user is strictly in the "domain admins" group.
How can I do this?