I have a Business Unit defined based on an LDAP Query which I use to limit the accounts in AD an admin can control. I would also like to limit the scope of the search so they can not find AD users outside of the BU.
I tried removing the Read All Objects from Domain User and adding Read All Objects to my admin role with an assignment over the BU, but now only the admin's own account is visible. I can only seem to get this to work by giving read to everything which isn't what I want?
I am assuming there is a set of attributes I need to allow access to for the LDAP filter to work on the BU, but having trouble working it out?