How to prevent programs from running on the remote desktop?

Good afternoon.
There is a local area network from 4 machines which are in two subnets.
Server1 is also a domain controller + client 1.
Server2 is a router and a terminal server + client2.
All machines on the network are connected to a domain.
The task is to ensure that clients under their accounts on the terminal server can only work with Microsoft Office applications and they have access to their "My Documents" folder and a shared network folder (file dump).
User accounts are collected in a separate OU.
Tried:
Transfer on the domain controller, server2 to a separate OU and set it to run only these applications - did not help.
If you set this restriction on a domain controller, then it applies accordingly to the entire scope of accounts, and not just on the terminal server.
The thought came that then you need to make a restriction on the terminal server, but the changes made there are applied to the server (on the one hand, this is logical, because I make changes under the local Administrator account). Under the Domain Administrator account, on the terminal server with security policies, I can’t do anything - I don’t have rights (in theory, again, it’s logical, because the domain controller has not delegated its rights to the terminal server).
And here I have a question, how then to apply this restriction on the terminal server (launching ONLY office applications) for domain controller users (who are included in a separate OU, if this is important of course)?
PS Third party software cannot be used.