Restricting ability to search or add contacts (based on A/D groups)

Hi,

I’m not sure if I am unique in this situation but wanted to share my scenario and see if anyone had any ideas about how to accomplish what I want to accomplish.

We are cloud hosting provider that provides remote desktop services under a single active directory domain.

We want to allow our remote desktop cusotmers to be able to use Spark and Openfire to communicate with one another.

We want to limit our customers to only be able to communicate and search for employees in their own company.

Each company has their own OU and security groups within our root A/D domain.

As it is right now, a customer can long using Spark, do a search for “*” and return every single user in our domain.

Any thoughts as to how we can accomplish this?

Thanks,

-g