When you open the Active Directory Users and Machines (ADUC) snap-in, the first thing you notice are AD containers (Organization Unit, OU), which hold user accounts, computers, and groups. The number of OUs in Active Directory might vary greatly depending on the size and structure of the organization.
There are also some pre-defined containers. The majority of them aren’t used, but they’re still shown in the ADUC console, cluttering up the screen and making it harder to manage AD.
That’s how the ADUC snap-in looks right after you install the Active Directory Service (ADDS) – it shows the following containers by default:
- Builtin – a container for the built-in security groups (administrators, backup operators, event log readers, and so on);
- Computers – this is the default container for computers.
- Domain Controllers — domain controllers’ default container
- Security identifiers (SID) associated with trusted domains are stored in the ForeignSecurityPrincipals container.
- Container for special managed service accounts is Managed Service Accounts.
- Users is the default container for users and groups. It includes groups such as Domain Admins, Enterprise Admins, and Schema Admins, among others.
But that’s not all; there are many more conventional containers available. To see them all, go to the View menu option and click Advanced Features, which will put the ADUC in advanced mode.
Here’s how ADUC appears in Advanced mode. As you can see, objects that are infrequently utilised (according to Microsoft) are hidden and only visible in Advanced mode. Any container in AD, on the other hand, can be hidden and will not be shown in Standard mode.
To do so, alter the showInAdvancedViewOnly attribute, which is responsible for the container’s presentation in AD. It can be done directly from the ADUC snap-in in Advanced Features mode starting with Windows Server 2008.
ShowInAdvancedViewOnly was first introduced in the Windows 2000 Server version of AD. You’ll need to install a specific ADSIEDIT console in Windows 2000/Windows 2003 to alter it (included in the Support Tools Pack). This characteristic can be changed directly from the console AD Users and Computers in Windows 2008 and newer.
As a result, we’d like to hide the Users container. Select Properties with the right mouse button on OU Users.
Check the value of the showInAdvancedViewOnly attribute in the object’s properties. Because this is not a hidden container, it should be False for this container. Select the Edit option.
Change the value to True and click OK. Now, the container will be visible only in the Advanced mode of ADUC console.
The same can be done using the ADSI editor. Run it (adsiedit.msc) and connect to the Default Naming Context with default settings.
Find the desired container (eg. CN = Users), right click on it and select Properties.
Change the value of the showInAdvancedViewOnly attribute to True.
As a result, we may conceal all superfluous containers from the ADUC snap-in. After hiding the majority of the containers, ADUC appears to be more compact. Simply switch the console to the advanced view to alter any item in AD’s “hidden” section.
A modification of the container’s Security ACL is a more complicated technique to hide the AD container from specified users or groups. For example, we’d like to keep the Boss container hidden from all freelancers (AD group FreelanceEmployees). Right-click on the Boss container, then select Properties, then Security.
Add AD group FreelanceEmployees to the ACL and deny the following permissions for this group:
- List Contents
- Read all properties
- Read permissions