Windows seems to apply search filter after the ACL check.
If a user doesn't have the right to see an attribute, it is simply handled
as if it would not exist at all, when the search filter is applied.
E.g. if the user doesn't have the right to see the samAccountType attribute
the following filter:
Will effectively the same as just:
Samba takes a different strategy, it checks all
attribute names it finds in the search filter and if any
of these attribute is hidden from the user, the whole
object is hidden.