To block a set if users (assuming its an OU inside Active Directory) to launch a program you do this:
Use the No Access Resource Lists inside Home > Global Policy Options > File Rules
Add the resource path of cmd.exe
Add the Program Path of *\* (this makes the rule apply across the entire machine)
Group name of DOMAIN\OU
You can copy this rule into allow but log if you want to test.