Hi Thomas,
When you say they can see, what is the console you are refering to. What is the cmd or steps that list all the users.
Please understand Domain Users permission is enough is to list all the users or contacts in AD. You don't need any special permission to view them. If you have something special that you need to hide, you need to remove the read permission on that object(s). Which might give rise to some other issues.
But if the console is EAC or EMS, then RBAC will apply and some restrictions can be made.
To make there list shorter, we need to know, what are you using to list