Knowledge Base

Limit the visibility of AD object for desired users


You want to limit the visibility of a particular Active Directory object (e.g. Organizational Unit) for desired users only. Such configuration may be helpful especially for environments including tenants.


To hide specific object you need to apply necessary changes directly in the Active Directory, as every CodeTwo product uses native Active Directory pickers.

Consider the following scenario: you have a user Miami Admin who is an administrator of your company's branch in Miami. Miami Admin belongs to the Organizational Unit named Miami, which is a separate OU for Miami office staff. This particular user is able to browse through its own OU, but the Users OU (which holds accounts of your head office users) should be inaccessible for him/her.

To achieve such configuration, please follow all steps described below:

  1. Open the Active Directory Users and Computers (you may simply run the dsa.msc command).
  2. Enable the Advanced Features from the View menu.
  3. Navigate to the AD object you want to hide (in that case - Users) and right mouse button click on it to open its Properties (Fig. 1.).

    Active Directory object properties
    Fig. 1. Opening Properties of a particular AD object.

  4. In the Properties window, switch to the tab named Security.
  5. Add the Miami Admin user to the security list.
  6. Set the Full access to Deny. This will set all other permissions as denied. (Fig. 2.).

AD object properties
Fig. 2. Denying all permissions for Miami Admin account.

From now, the user Miami Admin will neither be able to browse the Users OU nor to select any users which are its members.  

See also:

Was this information useful?