By default noone has the rights to do this unless they have rights to Active Directory. And even then, when you pull up the GAL and double-click a name, none of the fields are editible from there. These fields are generated from Active Directory and are view-only from the GAL.
Make sure there is no AD delegation to general user groups, and check the security settings on your user folders in AD.
Remove non-administrative users from groups which have elevated priviledges like the domain admins group and the administrator group.