By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group). This allows all users of the domain to be able to view the contents of any OU in Active Directory using Active Directory Users and Computers snap-in. Accordingly, in order to hide the specific OU from the users, it is necessary to edit security settings of the organizational unit manually each time. You can get rid of manual editing of OU permissions by changing the default properties of the Organizational Unit class.
Changing Default OU permissions
In Active Directory you can change the properties of the object class by modifying the Active Directory schema. To do this, we need to install the snap-in «Active Directory Schema» (by default due to the security reasons, this snap-in is disabled on the domain controllers).
Several important notes.
- When editing the Active Directory schema, you must be extremely careful, because of the changes may affect the entire forest.
- To make changes to the schema, your account must be directly added to Schema Admins group (Enterprise and Domain administrators groups is not the same as a Schema Admins group).
At first, open an elevated Command prompt on domain controller and register dynamic library schmmgmt.dll, which is needed to run the snap-in:
Then open the mmc console and go to File -> Add / Remove Snap-in.
In the list of available snap-ins, select Active Directory Schema, add it to the console by pressing the Add and OK.
The Schema snap-in Active Directory allows you to edit all existing classes and attributes of Active Directory.
Expand the Active Directory Schema (Dcname1) and go to Classes section. In the class list, locate the class organizationalUnit, right-click on it and select Properties.
In the class property page open the tab «Default Security». This tab contains the default permissions for new OU in Active Directory. You can simply remove the Read permission for group Authenticated Users, or using the button «Advanced», which switch you to the advanced settings.
If you select the Advanced Security Settings, in the list of OU permissions select the Authenticated Users group and click Edit.
In the new opened window we specify the desired OU permissions. For example, we want to remove the permission List Object, but leave the permissions to Read all properties for all objects in OU.
Save the changes by pressing OK button 3x times and close the snap-in. To apply the changes in AD you need to wait some time to replicate schema changes on all DCs in your forest.
After that, when you create a new Organization Unit in Active Directory, by default, domain users will not be able to view list of objects it contains.
This settings will be applied only to all newly created OU, for an existing OU permissions it will not be changed.