Hiding organizational units (OUs) is not a game of hide and seek. It's not even a configuration setting that disables...
the display of OUs from users. Instead, hidden OUs are created through intelligent Active Directory container layout and design. The primary purpose of hidden OUs is to prevent an administrator from one OU from being able to view, access, or alter another OU. Hidden OUs are often used in environments that offer network application services to internal departments or external customers. It allows for a solid separation of duties without requiring separate domains or forests.
If you are working with Exchange 2000, for example, and are offering e-mail services to several external companies, you need to separate logically each customer's data from the others. Often, one or more users from each company are granted some level of administrative control over their company's e-mail system. You only real solutions are separate forests or hidden OUs. Because separate forests imply a significant increase in cost, primarily for hardware, hidden OUs offer a cost-effective yet secure solution.
A hidden OU is little more than an OU placed on the same logical level as other OUs that you wish to hide from. An administrator from a parent OU can always see the presence of all child OUs. However, an administrator from a peer OU cannot see the presence of other peer level OUs. For example, suppose a company has a domain named xyzcorp.main. It then creates a headquarters OU. Within this OU, it creates site1, site2, and site3 OUs. A hidden OU can be created on the same level as the site1-site3 OUs, such as SiteH. SiteH will be effectively hidden from all members of the other site OUs. Once you have created the hidden OU, you need to specifically assign and revoke access rights to users and admins to ensure the secrecy of the hidden OU. If users don't have read permission for an OU, it will not appear to them while browsing the directory. Otherwise, users will by default be able to see the hidden OU in standard directory browsing activities.
Along with placing the hidden OU at the same level as other peers and properly assigning access rights, you should also avoid standardized naming conventions. Your hidden OU should have an irregular name. Otherwise, administrators may be able to deduce or infer the name of the hidden OUs.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.