Windows seems to apply search filter after the ACL check. If a user doesn't have the right to see an attribute, it is simply handled as if it would not exist at all, when the search filter is applied. E.g. if the user doesn't have the right to see the samAccountType attribute the following filter: '(&(objectCategory=person)(objectSid=*)(!(samAccountType:1.2.840.113556.1.4.804:=3)))' Will effectively the same as just: '(&(objectCategory=person)(objectSid=*))' Samba takes a different strategy, it checks all attribute names it finds in the search filter and if any of these attribute is hidden from the user, the whole object is hidden.
I'm pretty sure this is the new approach after CVE-2023-0614 commit d5d0e71279790fdcf7e72749210b42b2faaa53f7 Author: Jo Sutton <josutton@catalyst.net.nz> Date: Fri Mar 3 17:34:29 2023 +1300 CVE-2023-0614 ldb: Prevent disclosure of confidential attributes Add a hook, acl_redact_msg_for_filter(), in the aclread module, that marks inaccessible any message elements used by an LDAP search filter that the user has no right to access. Make the various ldb_match_*() functions check whether message elements are accessible, and refuse to match any that are not. Remaining message elements, not mentioned in the search filter, are checked in aclread_callback(), and any inaccessible elements are removed at this point. ...