diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
index c2b16eff4..052849520 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
@@ -176,6 +176,34 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
     @Inject
     private UserPermissionService userPermissionService;
 
+    /**
+     * Whether attributes which control access restrictions should be exposed
+     * via getAttributes() or allowed to be set via setAttributes().
+     */
+    private boolean exposeRestrictedAttributes = false;
+
+    /**
+     * Initializes this ModeledUser, associating it with the current
+     * authenticated user and populating it with data from the given user
+     * model.
+     *
+     * @param currentUser
+     *     The user that created or retrieved this object.
+     *
+     * @param model
+     *     The backing model object.
+     *
+     * @param exposeRestrictedAttributes
+     *     Whether attributes which control access restrictions should be
+     *     exposed via getAttributes() or allowed to be set via
+     *     setAttributes().
+     */
+    public void init(ModeledAuthenticatedUser currentUser, UserModel model,
+            boolean exposeRestrictedAttributes) {
+        super.init(currentUser, model);
+        this.exposeRestrictedAttributes = exposeRestrictedAttributes;
+    }
+
     /**
      * The plaintext password previously set by a call to setPassword(), if
      * any. The password of a user cannot be retrieved once saved into the
@@ -309,10 +337,16 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
         return userPermissionService.getPermissionSet(getCurrentUser(), this);
     }
 
-    @Override
-    public Map<String, String> getAttributes() {
-
-        Map<String, String> attributes = new HashMap<String, String>();
+    /**
+     * Stores all restricted (privileged) attributes within the given Map,
+     * pulling the values of those attributes from the underlying user model.
+     * If no value is yet defined for an attribute, that attribute will be set
+     * to null.
+     *
+     * @param attributes
+     *     The Map to store all restricted attributes within.
+     */
+    private void putRestrictedAttributes(Map<String, String> attributes) {
 
         // Set disabled attribute
         attributes.put(DISABLED_ATTRIBUTE_NAME, getModel().isDisabled() ? "true" : null);
@@ -335,7 +369,6 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
         // Set timezone attribute
         attributes.put(TIMEZONE_ATTRIBUTE_NAME, getModel().getTimeZone());
 
-        return attributes;
     }
 
     /**
@@ -396,8 +429,14 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
 
     }
 
-    @Override
-    public void setAttributes(Map<String, String> attributes) {
+    /**
+     * Stores all restricted (privileged) attributes within the underlying user
+     * model, pulling the values of those attributes from the given Map.
+     *
+     * @param attributes
+     *     The Map to pull all restricted attributes from.
+     */
+    private void setRestrictedAttributes(Map<String, String> attributes) {
 
         // Translate disabled attribute
         getModel().setDisabled("true".equals(attributes.get(DISABLED_ATTRIBUTE_NAME)));
@@ -438,6 +477,27 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
 
     }
 
+    @Override
+    public Map<String, String> getAttributes() {
+
+        Map<String, String> attributes = new HashMap<String, String>();
+
+        // Include restricted attributes only if they should be exposed
+        if (exposeRestrictedAttributes)
+            putRestrictedAttributes(attributes);
+
+        return attributes;
+    }
+
+    @Override
+    public void setAttributes(Map<String, String> attributes) {
+
+        // Assign restricted attributes only if they are exposed
+        if (exposeRestrictedAttributes)
+            setRestrictedAttributes(attributes);
+
+    }
+
     /**
      * Returns the time zone associated with this user. This time zone must be
      * used when interpreting all date/time restrictions related to this user.
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
index 76a05f857..7935f864d 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
@@ -147,15 +147,35 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
 
     @Override
     protected ModeledUser getObjectInstance(ModeledAuthenticatedUser currentUser,
-            UserModel model) {
+            UserModel model) throws GuacamoleException {
+
+        boolean exposeRestrictedAttributes;
+
+        // Expose restricted attributes if the user does not yet exist
+        if (model.getObjectID() == null)
+            exposeRestrictedAttributes = true;
+
+        // Otherwise, if the user permissions are available, expose restricted
+        // attributes only if the user has ADMINISTER permission
+        else if (currentUser != null)
+            exposeRestrictedAttributes = hasObjectPermission(currentUser,
+                    model.getIdentifier(), ObjectPermission.Type.ADMINISTER);
+
+        // If user permissions are not available, do not expose anything
+        else
+            exposeRestrictedAttributes = false;
+
+        // Produce ModeledUser exposing only those attributes for which the
+        // current user has permission
         ModeledUser user = userProvider.get();
-        user.init(currentUser, model);
+        user.init(currentUser, model, exposeRestrictedAttributes);
         return user;
+
     }
 
     @Override
     protected UserModel getModelInstance(ModeledAuthenticatedUser currentUser,
-            final User object) {
+            final User object) throws GuacamoleException {
 
         // Create new ModeledUser backed by blank model
         UserModel model = new UserModel();
@@ -362,9 +382,13 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
      * @return
      *     The ModeledUser which corresponds to the given AuthenticatedUser, or
      *     null if no such user exists.
+     *
+     * @throws GuacamoleException
+     *     If a ModeledUser object for the user corresponding to the given
+     *     AuthenticatedUser cannot be created.
      */
     public ModeledUser retrieveUser(AuthenticationProvider authenticationProvider,
-            AuthenticatedUser authenticatedUser) {
+            AuthenticatedUser authenticatedUser) throws GuacamoleException {
 
         // If we already queried this user, return that rather than querying again
         if (authenticatedUser instanceof ModeledAuthenticatedUser)