If you are a hosting provider or a security-conscious administrator managing multiple CRM deployments then you’d like to avoid exposing entire Active Directory when user with appropriate permissions clicks New Multiple Users and then opts to browse all trusted domains and groups.

There are some unsupported methods as well as supported C# code to achieve the result. Considering that administrator’s language of choice is powershell, here is how to do it from the ps prompt:

Add-PSSnapin Microsoft.Crm.PowerShell
$ConfigurationEntityName = "Organization"
$SettingName = "UserRootPath"

$SettingValue = 
  "LDAP://contoso.local/OU=AlphineSkiHouse"+
  "OU=Customers;DC=contoso;DC=local"

# Easiest way to get ID is to run SQL
# select o.Id, FriendlyName from Organization o
#
# 9FF2BD5D-D741-E311-922F-02BF0A033E06	Alpine Ski House
#

$Id = New-Object `
   Guid("9FF2BD5D-D741-E311-922F-02BF0A033E06")

$setting = New-Object `
   "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity"
$setting.LogicalName = $ConfigurationEntityName
$setting.Id = $Id

$setting.Attributes = New-Object `
   "Microsoft.Xrm.Sdk.Deployment.AttributeCollection"

$kvo = 
"System.Collections.Generic.KeyValuePair[String, Object]"
$keypair = New-Object $kvo ($SettingName, $SettingValue)

$setting.Attributes.Add($keypair)

Set-CrmAdvancedSetting -Entity $setting

When new users are added in bulk to the Alphine Ski House organization, browsing will be restricted to the relevant OU only. CRM is smart enough to figure out who’s already in and displays only new users. Nice and clean.