I've successfully created a limited Management role, and assigned a user to it, that allows a junior admin only two things via the ECP web page:
-- Reset passwords in a particular Org Unit
-- Create new users in the same
The write privileges are no problem: you just pick the scope. However they really shouldn't see the AD data (users, groups) for any other OU. But when they log in, the Whole World is listed.
Everything I've read seems to give no flexibility to the Read Scope -- that it must be implicit and include the entire Organization: https://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx#ImplicitScopes
I know that's an irrational restriction, and there's a way to do what I want, and that it's going to be much more involved than I would ever want, but that it is possible, so I was hoping to be pointed in the right direction.
UPDATE Looks to be not possible: https://social.technet.microsoft.com/Forums/exchange/en-US/a063a190-89a4-4611-aa8d-772ab5a832f7/exchange-2013-rbac-read-scope?forum=exchangesvradmin&prof=required but this is just very surprising.
After much searching and several similar posts, it's now clear that it simply is not possible.
https://social.technet.microsoft.com/Forums/office/en-US/35e1096a-fa9a-4d98-a56a-84b40f4fa0ab/change-implicitrecipientreadscope-in-rbac?forum=exchange2010