My suggetion is go with Group Polocy which u need to create and link to the Domain Controler OU. Ensure that u given read and apply permission to that particular Domain Account .So that the GPO will apply only to the particular Domain Account . To configure this GPO please go through below link
To remove access to ADTool. U can give Deny Read access to particular Domain Account in the Security Tab of ADTool. By selecting advanced in the view menu, u will get the security for ADTOOL.
I hope this will work for u…