The group Authenticated Users has read permission for each newly established organisational unit (OU) in the access list by default (built-in group). The Active Directory Users and Computers snap-in now allows all domain users to access the contents of any OU in Active Directory. As a result, in order to hide a specific OU from users, the organisational unit’s security settings must be manually edited each time. By altering the default attributes of the Organizational Unit class, you may avoid manually editing OU permissions.
By altering the Active Directory schema, you can change the properties of the object class in Active Directory. To do so, we’ll need to install the Active Directory Schema snap-in (by default due to the security reasons, this snap-in is disabled on the domain controllers).
There are a few things to remember.
- You must be exceedingly cautious while altering the Active Directory schema because the changes may have an impact on the entire forest.
- Your account must be added to the Schema Admins group to make modifications to the schema (Enterprise and Domain administrators groups is not the same as a Schema Admins group).
At first, open an elevated Command prompt on domain controller and register dynamic library schmmgmt.dll, which is needed to run the snap-in:
Then open the mmc console and go to File -> Add / Remove Snap-in.
In the list of available snap-ins, select Active Directory Schema, add it to the console by pressing the Add and OK.
The Active Directory Schema snap-in allows you to edit all existing Active Directory classes and properties.
Go to the Classes section of the Active Directory Schema (Dcname1). Locate the class organizationalUnit in the class list, right-click on it, and select Properties.
Open the tab «Default Security» on the class property page. The default permissions for new OUs in Active Directory can be seen on this tab. You can delete the Read permission for the Authenticated Users group by clicking the “Advanced” option, which will take you to the advanced settings.
If you select the Advanced Security Settings, in the list of OU permissions select the Authenticated Users group and click Edit.
We specify the desired OU permissions in the newly created window. For example, we want to remove the List Object permission but keep the Read all properties permissions for all objects in the OU.
Close the snap-in after saving the modifications by pressing the OK button three times. To apply the changes in AD, you must wait for the schema changes to be replicated on all DCs in your forest.
After that, by default, domain users will not be able to examine the list of items contained in a new Organization Unit created in Active Directory.
This setting will only apply to newly established OUs; current OU permissions will remain unchanged.