Prevent CMD to all user except ADMIN Privileges:
1. Create new Group Policy that called ‘Prevent CMD to all User’
2. Configure the following things in policy:
If you want to allow spesific user or security group , go to delegation and add this user/group and check "deny"
on “Apply Group Policy”