Microsoft Knowledge Base Article 922836 contains the following summary and introduction:
In the Active Directory directory service for Microsoft Windows Server 2000 and for Microsoft Windows Server 2003,
it is difficult to prevent an authenticated user from reading an attribute. Generally, if the user requests READ_PROPERTY permissions for
an attribute or for its property set, read access is granted. Default security in Active Directory is set so that authenticated users have
read access to all attributes. This article discusses how to prevent read access for an attribute in Windows Server 2003 Service Pack 1 (SP1).
This article describes how to mark an attribute as confidential in Windows Server 2003 Service Pack 1.