Hi Sid,
To be honnest I am not sure to understand clearly want you want to achieve here.
If by "lockdown" you mean that no AD Users should be allowed to run privileges commands using sudo or switch to another user context using su, the first logical step is to not give permissions to any of those AD Users or AD Groups they are member of in the Sudoers policy file. Running su as any other account than root will require to authenticate with the password of the target account (e.g. you need to enter the root password when running "su -" or "su - root").
If you really want to deny usage of su or sudo binaries, then Fel answers is the right one.
If you need so much privilege management and want to follow a "least privilege access" model, I stronlgy suggest to look at the commercial version of Centrify Server Suite as DirectAuthorize is allowing very strong and granular control on access and privileges.
Cheers,
Fab