How to filter Win32_UserAccount results by OU

Question

In PowerShell, I already know how to use DirectoryEntry and DirectorySearcher to get a list of users in a certain OU. The results of this method are mostly what I am looking for in AD, but it seems easier to get the same information by using a WMI query Win32_UserAccount. I like the properties of this class better and the SID is already in the correct string format (in the first method it needs to be converted from a hex byte array to string).

The problem I have with using Win32_UserAccount is that I cannot find a way to filter it by an OU. I can successfully filter by domain and name, and have tried several guesses with WQL, but can't seem to find any syntax for an OU filter. Most of my attempts result in "Invalid query." The following is an example of a query that works:

$user = gwmi Win32_UserAccount -filter "name='somebody' AND domain='mydomain'"

If there is no way to filter this by OU then I will go back to using the DirectoryEntry/DirectorySearcher.

Answer 1

Given that there are no LDAP related properties for the Win32_Account class I think you're out of luck unfortunately.

You could of course use this to get the SID in the format you want in addition to the directory searching to get the LDAP related data.

Answer 2

Are you familiar with the free AD cmdlets from Quest?

http://www.quest.com/powershell/activeroles-server.aspx

You can filter users based on OU and get the SID in various formats:

PS> Get-QADUser SizeLimit 0 -SearchRoot <OU_DistinguishedName>' | fl *sid*

objectSid : 0105000000000005150000006753F33372134F3FF673476FF4023001
Sid       : S-1-5-21-54781788-1045369324-1866953526-501
(...)