active directory

How to hide specific OU in Active Directory

The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user accounts, computers and groups are placed. Depending on the size and organizational structure, number of OU in Active Directory can be quite large.

In addition, there are some predefined containers. Most of them are not used, but displayed in ADUC console, cluttering up the space and making it difficult to admin AD.

That is how ADUC snap-in look like immediately after installing the Active Directory Service (ADDS) by default, it displays the following containers:

  • Builtin container which contains the built-in security groups (Administrators, Backup Operators, Event Log Readers etc);
  • Computers default container for the computers
  • Domain Controllers default container for domain controllers
  • ForeignSecurityPrincipals container that used to store security identifiers (SID), related to trusted domains
  • Managed Service Accounts container for special managed service accounts
  • Users default container for groups and users. It contains such important groups as Domain Admins, Enterprise Admins and Schema Admins

active directory users and computers

But that’s not all, in fact there are much more standard containers. To see them all, it is necessary to check Advanced Features from the View menu option, thereby switching the ADUC in advanced mode.

active directory advanced features

And here is how ADUC look like in Advanced mode. As you can see, rarely used (according to Microsoft) objects are hidden and displayed only in Advanced mode. However, any container in AD can be hidden and it will not be visible in Standard mode.

active directory organisational

To do this, you need to change showInAdvancedViewOnly attribute, which is responsible for appearance of the container in AD. Starting from Windows Server 2008, it can be done directly from the ADUC snap-in running in the Advanced Features mode.

Tip. Attribute showInAdvancedViewOnly first appeared in Windows 2000 Server version of AD. To change it in Windows 2000/Windows 2003, you need to install a special ADSIEDIT console (included in the Support Tools Pack). In Windows 2008 and newer it is possible to modify this attribute directly from the console AD Users and Computers.

So, we want to hide the Users container. Сlick right mouse button on OU Users and select Properties.

active directory properties

In the object’s properties locate the showInAdvancedViewOnly attribute and check its value. To this container, it should be equal to False, since this is a not hidden container. Click Edit button.

active directory users properties

Change the value to True and click OK. Now, the container will be visible only in the Advanced mode of ADUC console.

active directory boolean

The same can be done using the ADSI editor. Run it (adsiedit.msc) and connect to the Default Naming Context with default settings.

active directory connection settings

Find the desired container (eg. CN = Users), right click on it and select Properties.

active directory cn users

Find showInAdvancedViewOnly attribute and change its value to True.

active directory cnusers properties

Thus, we can hide from the ADUC snap-in all unnecessary containers. ADUC looks more compact after hiding most of containers. If you want to edit any item in the “hidden” part of AD, just switch the console to the advanced view.

active directory container

A more complex way to hide the AD container from specific users or groups is a modification of the container’s Security ACL. For example, we want to hide Boss container from all freelance employees (AD group FreelanceEmployees). Right click on Boss container, select Properties and move to Security tab.

active directory boss properties

Add AD group FreelanceEmployees to the ACL and deny the following permissions for this group:

  • List Contents
  • Read all properties
  • Read permissions

active directory permission

With such permissions, users of FreelanceEmployees group will not be able to see BOSS container in AD tree. Instead of this, OU will be displaying this object as the Unknown type.

You may also like:

Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Fix Trust relationship failed issue without domain... In this article, we will discuss the causes of Trust relationship failed error and some solutions on how to restore secure channel between the worksta...
  1. Posted by Sam Bloom

Add Your Comment