Abstract: A method for provisioning a virtualized resource includes directing, by a provisioning machine, a server-executed hypervisor to provision a virtual machine. The provisioning machine directs generation of an organizational unit within a first organizational unit within a multi-tenant directory service separated from a second organizational unit in the multi-tenant directory service by a firewall. The provisioning machine associates the virtual machine with the first organizational unit. The provisioning machine establishes a firewall policy on the virtual machine restricting communications to the virtual machine and excluding a user associated with the second organizational unit. The provisioning machine receives a request to provision a virtualized resource for at least one user. The server establishes a connection between a client machine of the at least one user and the at least one virtual machine providing the at least one virtual resource.