active directory – How can I tell what AD paths an AD user will be able to query over LDAP?

How can I tell what AD paths a user will be able to query over LDAP? Eg. when I connect to our mock AD controller server as a test user via Microsoft ADExplorer, I notice I can look at (what appears to be) the entire AD structure and have the ability to edit any other object in any path.

Is there somewhere in this test user’s attributes where I can see where this access is specified? Somewhere in the user’s properties in the AD Admin Center UI? Basically, I want to limit it so that they can only query their own base (or a few select) OUs/directories when making LDAP queries or connecting over ADExplorer.

Also, is there a way to restrict them from connecting over ADEXplorer and similar apps?