By default, a regular user does not have any Active Directory access in ActiveRoles Server.
The access has to be explicitly granted with ActiveRoles Access Templates.
The minimum permission required to view and browse OUs is OU - allow read all properties granted at the domain level. With that permission granted, user will be able to see all the OU´s in the domain.
However, if the read permissions are granted to just the required OU, the user is not able to navigate to it, as the domain subtree is not visible.
How to limit the access to just one particular OU?
In this video Robert Tovar demonstrates the desired behaviour:
A minor side effect of this method is that the delegated users will be able to see all the OUs in the path to the target OU from the domain level.