Preventing Helpdesk from manually Disabling or Enabling accounts


I'm trying to force our Helpdesk to always use Deprovision (or Undo Deprovision) to disable/enable accounts. Occasionally they still try to manually revert the Deprovisioning process, causing unwanted account deletions after X days.

How can I block/deny them from using Disable/Enable accounts so they can only use the Deprovision related tasks? I don't mind using explicit Deny templates but I can't seem to get the right attributes included without breaking other functionality (for example, when blocking access to userAccountControl, it has a lot of side affects).