I am trying to set up a more complex Active Directory structure for some testing purposes.

What I did so far:

• set up 2 windows (one 2008 and one 2003) to control the same domain
• set up an Organizational Unit (ou): Developers
• set up 2 child OUs: "one" and "two"
• each OU has it's admin: adminOne and adminTwo
• I denied all access to OU "two" by removing on the Security tab all the groups I don't want to access it.
• now, when I log in as adminOne and I try to click on OU "two" it says I don't have permissions to see the users and properties of "two" - this is perfect, it's what I want

Here comes my problem:

• I do a LDAP query with the adminOne user on the "Developers"

What I expect to happen:

• I expect to retrieve the users from Developer -> One
• I expect to NOT be able to retrieve the users from Developers -> Two

What actually happens:

• ldap shows all the users, both from Developers -> One and Developers -> Two, even if the user should not have permissions to Developers -> Two

And now my question:

• is there any specific settings on Windows 2003 or 2008 Active Directory servers which allow or deny access over LDAP? I could not find any.