Policy to allow a user to list accounts only within their own organizational unit in Active Directory
Can a policy be defined that restricts a user to only listing accounts in their own OU?
For example, consider the domain Contosos and OUs Sales and HR. The sales department has two users A and B, and the HR OU department has users C and D.
Is it possible to define a policy so that A can only list A's accounts and B and C can only list C and D, and not accounts outside their department?
source to share
Do not do this!
But you can create a group for each OU and put the ou users inside the group. Than you can change the permission on each other unit to deny this group the "list content" permission. I don't think there is a way to set this up without scripting. But since the rule is simple, it can be scripted.
It said. I would advise you not to dare and change the default permission for the active directory without having a dedicated team of experts on this particular subject. You can easily render your network useless with just a few clicks. And even if you don't, there is a chance that programs waiting for active directory protection (without even realizing it) will experience subtle bugs.
So this is the rule. If you have to ask, don't. if you need to become an expert then:
http://www.google.com/search?hl=en&q=active+directory+permission+site:microsoft.com&btnG=Search
Update: The "If you need to ask" rule refers to a request on a public site like this. Where non-experts like me can give you potentially misleading information as mine might be (hopefully not, but ...). I'm not sure if your requirement doesn't have an easy solution. But as far as I know, this is a journey that has been burned by more than a few brave souls.
source to share