3.1.1.2.3.5 Flag fRODCFilteredAttribute in Attribute searchFlags
An attribute cannot be a member of a filtered attribute set if one of the following conditions is TRUE:
The FLAG_ATTR_NOT_REPLICATED bit is set in attribute systemFlags of the attributeSchema object;
The FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit is set in attribute systemFlags of the attributeSchema object;
The FLAG_ATTR_IS_CONSTRUCTED bit is set in attribute systemFlags of the attributeSchema object;
The FLAG_ATTR_IS_CRITICAL bit is set in attribute schemaFlagsEx of the attributeSchema object;
Attribute systemOnly of the attributeSchema object is TRUE;
The attribute is in the following list: currentValue, dBCSPwd, unicodePwd, ntPwdHistory, priorValue, supplementalCredentials, trustAuthIncoming, trustAuthOutgoing, lmPwdHistory, initialAuthIncoming, initialAuthOutgoing, msDS-ExecuteScriptPassword, displayName, codePage, creationTime, lockoutDuration, lockOutObservationWindow, logonHours, lockoutThreshold, maxPwdAge, minPwdAge, minPwdLength, nETBIOSName, pwdProperties, pwdHistoryLength, pwdLastSet, securityIdentifier, trustDirection, trustPartner, trustPosixOffset, trustType, rid, domainReplica, accountExpires, nTMixedDomain, operatingSystem, operatingSystemVersion, operatingSystemServicePack, fSMORoleOwner, trustAttributes, trustParent, flatName, sIDHistory, dNSHostName, lockoutTime, servicePrincipalName, isCriticalSystemObject, msDS-TrustForestTrustInfo, msDS-SPNSuffixes, msDS-AdditionalDnsHostName, msDS-AdditionalSamAccountName, msDS-AllowedToDelegateTo, msDS-KrbTgtLink, msDS-AuthenticatedAtDC, msDS-SupportedEncryptionTypes.
If one of the conditions is TRUE, the attribute will not be in the filtered attribute set even if the flag fRODCFilteredAttribute is set in attribute searchFlags of the attributeSchema object.