It looks like the user has permissions to view objects deeply within the AD structure, but doesn’t have appropriate permissions to view objects located directly under the directory root. Since the Look In section starts browsing from the root of your domain, the user needs permissions to view all containers from the domain root down to the OU where the users are located. For example, if users are located in OU TESTDOM/Offices/Afdeling AA, to be able to browse to the necessary OU in the directory tree, the user needs at least the permissions to view your domain, the Offices OU and the Afdeling AA OU.
By default, the permissions to view all objects is granted by a built-in Security Role called Domain User. Probably, you’ve disabled it or changed its Assignment Scope. If you’ve assigned your users the built-in Account Manager Security Role, it already contains a permission to view any objects (Read – All object types), so you simply need to include the necessary OU objects in the Assignment Scope of the Role. To do this:
- In the Console Tree of the Administration Console, select the Security Role. The role Assignments will appear in the Result Pane (located to the right).
- Click Add Assignment.
- In the Select Trustee dialog box, select a user or group whom you want to grant the permissions and click OK.
- In the Specify Assignment Scope dialog box, select one of the Organizational Units a user needs to view.
- Click Add.
- In the Assignment Options window, select This Organizational-Unit object. Click OK.
- Repeat steps 4-6 for all OUs located from the domain root to the OU the user has administrative permissions in.
- Save the Security Role.