Some ideas around this I haven't personally tested these but do know that this method is used by some organizations:

Since the DST relies on querying AD for accounts it relies on permissions/ACL's on objects to read those accounts and their attributes.

• One method that has been used is in the archival of accounts whereby users that are no longer with the organization have their accounts moved into an OU where the OU is ACL'ed in a way to prevent the account that DST uses from accessing that OU and the contents within.  The DST tool runs ucontent-fragment-top fiji-content-fragment-top">