@JMH By default all domain users have read permission on Active Directory objects. Which means, any user can install RSAT tool and browse/list/find other objects. You can move the users to a separate OU and deny read permission on the AADDC Users OU but that can lead to some problems if those users have any link to a user/group in the users container. E.g. if the user has a manager attribute configured with a user account which is in AADDC Users OU or user is a member of a group present in AADDC Users OU. This is not a very common requirement and if it has to be done, it would require a lot of planning and testing.
-----------------------------------------------------------------------------------------------------------
Please "Accept as answer" wherever the information provided helps you to help others in the community.