hide-n-seek in Active Directory

The current workplace I am working has implemented an security policy to hide IT user, group and computer object from help desk staff. It is a OU based the control, which deny IT helpdesk group from listing content of OU. So helpdesk can have admin.pak installed and launch ADUC but can only work on MAC of normal user and computer.