Restrict root to su local accounts

I know that root can modify any config file. As a best practice, I would like to disable the capacity for root to su on accounts which authenticates against NIS or Active Directory. As a best practice, I would like to allow root to su only on local accounts. *My* definition of a local account is any line with an id in /etc/passwd (because of the +user:::::: for NIS access). I guess it would involve modifying the pam config, but I'm not clear on the how.