Hi,
Here is a method for your reference:
Restrict the ADUC snap for regular domain users through Group Policy :
Navigate to User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins
Select ADUC and set it to disabled as following:
Then update the group policy for users when they login by command :gpupdate /force
After the group policy was applied, it will be prevented when they run ADUC:
When the user need to run aduc as administrator, you can click the ADUC and run as administrators, it will show as :
Then enter the administrator name and password , the ADUC can be run as you expected.