1) Create an Access Template with a single permission: Deny List Object for All Classes (All object Classes > Object access > List Object > Deny) ;
2) Then link the newly created AT to the 'AD LDS' and 'Configuration nodes' specifying the required group(s)/user(s) as trustees. Alternatively, you could specify 'Authenticated Users' as trustee, if you wish to limit access to those nodes to DSAdmins only.
When linking the AT, please make sure to specify the "This directory object" option in the "Apply permissions onto" page. This will ensure the deny permission impacts only those 2 objects.
Please note that this solution affects only the MMC console. For the WI, the root nodes for the tree view is defined in the edsaWISettings XML attribute. Please, refer to:
The solution/workaround provided is known to work successfully; however, they have not been officially tested by One Identity Software Quality Control.
If any of these instructions are changed and/or incorrectly used, intentionally or unintentionally, this solution/workaround becomes unsupported by One Identity Software Support and Development.
One Identity Software Support and Development recommend always making a backup of the current configuration and referenced file(s) prior to the implementation of any solutions/workarounds that may modify it/them.
For expert customization advice of ActiveRoles Server