with winbind in nsswitch on a AD DC user and group enumerations are always enabled. The parameter winbind enum users/groups should be honored in this setup also.
*** Bug 10746 has been marked as a duplicate of this bug. ***
see patch in this thread:
but as winbind 4 should vanish anyway, work should better be put in complete winbind 3 integration for ad dc setups maybe...
since samba 4.2 we have the previous winbind implementation again, which effectively fixes this bug.