Windows seems to apply search filter after the ACL check. If a user doesn't have the right to see an attribute, it is simply handled as if it would not exist at all, when the search filter is applied. E.g. if the user doesn't have the right to see the samAccountType attribute the following filter: '(&(objectCategory=person)(objectSid=*)(!(samAccountType:1.2.840.113556.1.4.804:=3)))' Will effectively the same as just: '(&(objectCategory=person)(objectSid=*))' Samba takes a different strategy, it checks all attribute names it finds in the search filter and if any of these attribute is hidden from the user, the whole object is hidden.