A. By default, users can view the content of organizational units (OUs). You can prevent users from viewing OU content by removing the List Contents right for that OU, or you can use the List Object permission to explicitly select which objects in an OU are viewable by particular users or groups.
To enable the List Object option, perform these steps on a domain controller (DC) or on a machine that has adsiedit.msc installed. (ADSI Edit is part of the Windows 2000 or later support tools.)
- Start adsiedit.msc (Start, Run, adsiedit.msc).
- Expand the Configuration container. Expand Services - Windows NT.
- Right-click "CN=Directory Service" and select Properties.
- Double-click the dSHeuristics attribute.
- If the value is Not Set, set it to 001. If the value field isn't blank, change the third character of the string to 1, as the figureshows. Click OK.
- Close ADSI Edit.
Now when you select an object's advanced security properties, a new List Object property is displayed, as the figure at figure shows.
You need to ensure that you set the List Object right not only on the objects you want to be visible but also on the OU containing the objects. Remember to remove the List Contents permission from the container for users whom you don't want to view the entire contents. For example, by default the Authenticated Users group has List Contents permission, so you'd need to remove that right to allow the more granular List Object capability.
Be careful when using the List Object functionality because it makes DCs perform extra work. The DC must check every object in a container to determine whether the object should be visible instead of merely checking the container for a general list or "not list" option.