I'm thinking if you put your OUs in the ePO System Tree. Then create permission sets for the target users, which grant access only to the specified folders and with the target recovery key permissions. This might be a way it could work. Anyone else have any ideas?
Moved to EPO managed for better support