How to hide specific OU in Active Directory

The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user accounts, computers and groups are placed. Depending on the size and organizational structure, number of OU in Active Directory can be quite large.

In addition, there are some predefined containers. Most of them are not used, but displayed in ADUC console, cluttering up the space and making it difficult to admin AD.

That is how ADUC snap-in look like immediately after installing the Active Directory Service (ADDS) — by default, it displays the following containers:

• Builtin — container which contains the built-in security groups (Administrators, Backup Operators, Event Log Readers etc);
• Computers — default container for the computers
• Domain Controllers — default container for domain controllers
• ForeignSecurityPrincipals — container that used to store security identifiers (SID), related to trusted domains
• Managed Service Accounts — container for special managed service accounts
• Users — default container for groups and users. It contains such important groups as Domain Admins, Enterprise Admins and Schema Admins

But that’s not all, in fact there are much more standard containers. To see them all, it is necessary to check Advanced Features from the View menu option, thereby switching the ADUC in advanced mode.

And here is how ADUC look like in Advanced mode. As you can see, rarely used (according to Microsoft) objects are hidden and displayed only in Advanced mode. However, any container in AD can be hidden and it will not be visible in Standard mode.

To do this, you need to change showInAdvancedViewOnly attribute, which is responsible for appearance of the container in AD. Starting from Windows Server 2008, it can be done directly from the ADUC snap-in running in the Advanced Features mode.

Tip. Attribute showInAdvancedViewOnly first appeared in Windows 2000 Server version of AD. To change it in Windows 2000/Windows 2003, you need to install a special ADSIEDIT console (included in the Support Tools Pack). In Windows 2008 and newer it is possible to modify this attribute directly from the console AD Users and Computers.

So, we want to hide the Users container. Сlick right mouse button on OU Users and select Properties.

In the object’s properties locate the showInAdvancedViewOnly attribute and check its value. To this container, it should be equal to False, since this is a not hidden container. Click Edit button.

Change the value to True and click OK. Now, the container will be visible only in the Advanced mode of ADUC console.

The same can be done using the ADSI editor. Run it (adsiedit.msc) and connect to the Default Naming Context with default settings.

Find the desired container (eg. CN = Users), right click on it and select Properties.

Find showInAdvancedViewOnly attribute and change its value to True.

Thus, we can hide from the ADUC snap-in all unnecessary containers. ADUC looks more compact after hiding most of containers. If you want to edit any item in the “hidden” part of AD, just switch the console to the advanced view.

A more complex way to hide the AD container from specific users or groups is a modification of the container’s Security ACL. For example, we want to hide Boss container from all freelance employees (AD group FreelanceEmployees). Right click on Boss container, select Properties and move to Security tab.

Add AD group FreelanceEmployees to the ACL and deny the following permissions for this group:

• List Contents
• Read all properties
• Read permissions

With such permissions, users of FreelanceEmployees group will not be able to see BOSS container in AD tree. Instead of this, OU will be displaying this object as the Unknown type.