Using Confidential Bits to Hide AD Object Attributes

Q: I'm looking for a technique to hide specific Active Directory (AD) object attributes from users who only have generic read permissions to the attribute. One of the attributes I would love to hide, for example, is my employees’ smart card identifier numbers. Does the AD access control model out-of-the-box support something that can help me out?

A: By default, every AD user has read permission to all of the attributes of his proper AD user object. This is because in the AD access control model the Windows SELF well-known-security-principal is granted the Read All Properties permission to a user object.
As you refer to in your question, this is problematic if you want to prevent access to sensitive data for accounts that have been granted read access to certain attributes either directly, or through the all encompassing Read All Properties permission. You may, for example, want to hide the content of AD attributes holding the social security number of employees, their smart card IDs, or even their employee ID.
This is where the confidential bit comes in that Microsoft introduced in Windows Server 2003 SP1. As the name implies, the confidential bit configures specific attributes in AD to be confidential, which translates to "not-accessible to any user without a special permission that is different from plain read permission".
The basic steps behind configuring the confidential bit for a given AD attribute are the following:
• The confidential bit must set as bit 7 (=128 decimal value) in the searchFlags property of an attributeSchema object in the AD schema. This means that if you add 128 to any existing value the attribute will be marked as confidential.
• Granting access to a confidential attribute to users or groups who need to read the confidential data in the attribute, requires that you grant these users CONTROL_ACCESS permission on the attribute for the respective objects. . . .