You want to prevent any authenticated user from being able to browse the contents of Active Directory by default. Enabling List Object Access mode means users will need explicit permissions to see directory listings of containers.
Open ADSI Edit.
In the Configuration partition, browse to cn=Services cn=Windows NT cn=Directory Service.
In the left pane, right-click on the Directory Service object and select Properties.
Double-click on the dSHeuristics attribute.
If the attribute is empty, set it with the value: 001. If the attribute has an existing value, make sure the third bit (from the left) is set to 1.
Click OK twice.
' This code enables or disables list object mode for a forest. ' ------ SCRIPT CONFIGURATION ------ boolEnableListObject = 1 ' e.g. 1 to enable, 0 to disable ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://RootDSE") set objDS = GetObject( _ "LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _ & objRootDSE.Get("configurationNamingContext") ) strDSH = objDS.Get("dSHeuristics") if len(strDSH) = 1 then strDSH = strDSH & "0" end if strNewDSH = Left(strDSH,2) & boolEnableListObject if len(strDSH) > 3 then strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 3) end if WScript.Echo "Old value: " & strDSH WScript.Echo "New value: " & strNewDSH if strDSH <> strNewDSH then objDS.Put "dSHeuristics", strNewDSH objDS.SetInfo WScript.Echo "Successfully set list object mode to " & _ boolEnableListObject else WScript.Echo "List object mode already set to " & boolEnableListObject end if
List Object Access mode is useful if you want your users to only view a subset of objects when doing a directory listing of a particular container or you do not want them to be able to list the objects in a container at all. By default, the Authenticated Users group is granted the List Contents access control right over objects in a domain. If you remove or deny this right on a container by modifying the ACL, users will not be able to get a listing of the objects in that container in tools, such as Active Directory Users and Computers or ADSI Edit.
To limit the objects' users can see when they do a listing, you first need to enable List Object Access mode as described in the solution. You should then remove the List Contents access control right on the target container. Lastly, you'll need to grant the List Object right to the objects the users or groups should be able to list.
MSDN: Controlling Object Visibility and Microsoft's High-Volume Hosting Site at http://www.microsoft.com/serviceproviders/deployment/hvh_ad_deploy.asp