We have a new set of users, who should not to be authenticated in any domain joined machines. They don't get exchange account and they should not be able to login in to any application except a couple. Their access should be completely prohibited except
for two applications. We can put these users in a separate new OU. To prevent the access to domain joined machines, we are planning to NOT set them as domain users.
a) How can we prevent this OU from being read by all service accounts but one that is used by the applications? In our domain, all service accounts in a OU have rights to read all the other accounts in domains. All the service accounts have got access to read all the accounts in the domain.
b)Also, these users can be authenticated to only 2 applications. What are the options?