It should be done at the IT level who manage the desktops/laptops etc , they should be able to role out policy to prevent users accessing there TCP/IP settings and changing DNS settings
If you know what there using as the other DNS like 8.8.8.8 you could block it by port number to the LAN but usually its done on IT level as if you block 1 they will use another and you will be updating acls constantly, yiou could try block all and just allow yours through not sure if that will work though , we lock it down at pc level