This should be done at the OU level and not at the domain level, event though it is possible to protect at domain level is not recommended.
If we protect at the domain level we wont be able to protect only one attribute but rather all the attributes will be protected, to protect a single attribute the only option is to add the OUs where the accounts are hosted, to the protection template.