By default, a regular user does not have any Active Directory access in Active Roles Server.
The access has to be explicitly granted with Active Roles Access Templates.
The minimum permission required to view and browse OUs is OU - allow read all properties granted at the domain level. With that permission granted, user will be able to see all the OU´s in the domain.
However, if the read permissions are granted to just the required OU, the user is not able to navigate to it, as the domain subtree is not visible.
How to limit the access to just one particular OU?
Note: A minor side effect of this method is that the delegated users will be able to see all the OUs in the path to the target OU from the domain level.