3.1.1.3.1.3.2 Selection Filters
Active Directory supports the ability to filter the values of an attribute that are returned. By default, all values up to the default range of a given attribute are returned. A selection filter is used to filter values to be returned by the server. When no selection filter is specified, the returned values of an attribute MUST NOT be filtered. An explicit selection filter specifies the filtering on the attribute values to be returned by the server.
Selection filtering is requested by specifying an Attribute Description ([RFC2251] section 4.1.5) with the "filtered" option. This option takes the form
filtered=B:char_count:binary_value
where char_count is the number (in decimal) of hexadecimal digits in binary_value and binary_value is the hexadecimal representation of a binary value. Each byte is represented by a pair of hexadecimal characters in binary_value, with the first character of each pair corresponding to the most-significant nibble of the byte. The first pair in binary_value corresponds to the first byte of the binary value, with subsequent pairs corresponding to the remaining bytes in sequential order. Note that char_count is always even in a syntactically valid selection filter.
The binary value is a BER encoded filter, as specified in [RFC2251] section 4.5.1.
Selection filters are available in DCs with a functional level of DS_BEHAVIOR_WIN2012R2 or greater.