Limit the visibility of AD object for desired users
You want to limit the visibility of a particular Active Directory object (e.g. Organizational Unit) for desired users only. Such configuration may be helpful especially for environments including tenants.
To hide specific object you need to apply necessary changes directly in the Active Directory, as every CodeTwo product uses native Active Directory pickers.
Consider the following scenario: you have a user Miami Admin who is an administrator of your company's branch in Miami. Miami Admin belongs to the Organizational Unit named Miami, which is a separate OU for Miami office staff. This particular user is able to browse through its own OU, but the Users OU (which holds accounts of your head office users) should be inaccessible for him/her.
To achieve such configuration, please follow all steps described below:
- Open the Active Directory Users and Computers (you may simply run the dsa.msc command).
- Enable the Advanced Features from the View menu.
- Navigate to the AD object you want to hide (in that case - Users) and right mouse button click on it to open its Properties (Fig. 1.).
- In the Properties window, switch to the tab named Security.
- Add the Miami Admin user to the security list.
- Set the Full access to Deny. This will set all other permissions as denied. (Fig. 2.).
From now, the user Miami Admin will neither be able to browse the Users OU nor to select any users which are its members.