Win32_Account

The class Win32_Account represents local and domain-wide user accounts and group accounts.

Methods

Win32_Account has no methods.

Properties

Win32_Account returns 8 properties:

'Caption','Description','Domain','InstallDate','LocalAccount','Name','SID','SIDType'

Unless explicitly marked as WRITEABLE, all properties are read-only.

Caption

STRING MAX 64 CHAR

Short description of the object.

# returning class instances:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, Caption

# reading property value:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, Caption | Foreach-Object {

  $Domain = $_.Domain
  $value = $_.Caption
  "${Domain}: Caption = $value"
}

Description

STRING

Description of the object.

# returning class instances:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, Description

# reading property value:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, Description | Foreach-Object {

  $Domain = $_.Domain
  $value = $_.Description
  "${Domain}: Description = $value"
}

Domain

KEY PROPERTY STRING

Name of the Windows domain to which a group or user belongs.

Example: “NA-SALES”

# returning class instances:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name

# reading property value:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, Domain | Foreach-Object {

  $Domain = $_.Domain
  $value = $_.Domain
  "${Domain}: Domain = $value"
}

InstallDate

DATETIME

Date and time that the object was installed. This property does not require a value to indicate that the object is installed.

# returning class instances:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, InstallDate

# reading property value:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, InstallDate | Foreach-Object {

  $Domain = $_.Domain
  $value = $_.InstallDate
  "${Domain}: InstallDate = $value"
}

LocalAccount

BOOL

If $true, the account is defined on the local machine. To retrieve only accounts defined on the local machine, design a query that includes the condition “LocalAccount=$true”.

# returning class instances:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, LocalAccount

# filtering all instances with LocalAccount set to $true:
Get-CimInstance -ClassName Win32_Account | Where-Object LocalAccount -eq $true | Select-Object -Property Domain, Name, LocalAccount

Name

KEY PROPERTY STRING

Name of the Windows system account on the domain specified by the Domain property of this class. This property overrides the Name property inherited from CIM_ManagedSystemElement.

# returning class instances:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name

# reading property value:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, Name | Foreach-Object {

  $Domain = $_.Domain
  $value = $_.Name
  "${Domain}: Name = $value"
}

SID

STRING

Security identifier (SID) for this account. A SID is a string value of variable length used to identify a trustee. Each account has a unique SID issued by an authority (such as a Windows domain), stored in a security database. When a user logs on, the system retrieves the user’s SID from the database and places it in the user’s access token. The system uses the SID in the user’s access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot be used again to identify another user or group.

# returning class instances:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID

# reading property value:
Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID | Foreach-Object {

  $Domain = $_.Domain
  $value = $_.SID
  "${Domain}: SID = $value"
}

SIDType

BYTE

Enumerated values that specify the type of security identifier (SID).

SIDType returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use Update-Type

Update-Type tells PowerShell how to interpret the property. This command needs to be executed only once per PowerShell session:

Update-TypeData -MemberName SIDType -TypeName "Microsoft.Management.Infrastructure.CimInstance#root/cimv2/win32_account" -MemberType ScriptProperty  -Value {
  Enum EnumSIDType
  {
    SidTypeUser             = 1
    SidTypeGroup            = 2
    SidTypeDomain           = 3
    SidTypeAlias            = 4
    SidTypeWellKnownGroup   = 5
    SidTypeDeletedAccount   = 6
    SidTypeInvalid          = 7
    SidTypeUnknown          = 8
    SidTypeComputer         = 9
  }

  [EnumSIDType]($this.PSBase.CimInstanceProperties['SIDType'].Value)
} -Force

Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SIDType
Use Select-Object

Select-Object supports calculated properties. When you submit a hashtable, PowerShell dynamically calculates the result:

$SIDType = @{
  Name = 'SIDTypeText'
  Expression = {
    $value = $_.SIDType
    
    switch([int]$value)
      {
        1          {'SidTypeUser'}
        2          {'SidTypeGroup'}
        3          {'SidTypeDomain'}
        4          {'SidTypeAlias'}
        5          {'SidTypeWellKnownGroup'}
        6          {'SidTypeDeletedAccount'}
        7          {'SidTypeInvalid'}
        8          {'SidTypeUnknown'}
        9          {'SidTypeComputer'}
        default    {"$value"}
      }
      
  }  
}

Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, SIDType, $SIDType
Use a PowerShell Hashtable

You can use a PowerShell hashtable to decode numeric values. Use a hashtable like this one:

$SIDType_map = @{
      1 = 'SidTypeUser'
      2 = 'SidTypeGroup'
      3 = 'SidTypeDomain'
      4 = 'SidTypeAlias'
      5 = 'SidTypeWellKnownGroup'
      6 = 'SidTypeDeletedAccount'
      7 = 'SidTypeInvalid'
      8 = 'SidTypeUnknown'
      9 = 'SidTypeComputer'
}
Use Enum structure

You can cast the raw property values to a new enum type to translate raw numeric values into friendly text. Use an enum like this one:

Enum EnumSIDType
{
  SidTypeUser             = 1
  SidTypeGroup            = 2
  SidTypeDomain           = 3
  SidTypeAlias            = 4
  SidTypeWellKnownGroup   = 5
  SidTypeDeletedAccount   = 6
  SidTypeInvalid          = 7
  SidTypeUnknown          = 8
  SidTypeComputer         = 9
}

CDXML Definition

You can turn this WMI class and its methods into PowerShell cmdlets by importing below CDXML file (Cmdlet Definition XML) as a module.

Create Win32_Account.cdxml
$folder = "c:\wmi\Win32_Account"
$cdxmlPath = Join-Path -Path $folder -ChildPath "Win32_Account.cdxml"

# create folder if not present:
$exists = Test-Path -Path $folder
if (!$exists) { $null = New-Item -Path $folder -ItemType Directory }

# write file
$content = @'
<?xml version="1.0" encoding="utf-8"?>


<!--
This file is licensed under 'Attribution 4.0 International' license (https://creativecommons.org/licenses/by/4.0/).

You can free of charge use this code in commercial and non-commercial code, and you can freely modify and adjust the code 
as long as you give appropriate credit to the original author Dr. Tobias Weltner.

This material was published and is maintained here: 

https://powershell.one/wmi/root/cimv2/win32_account#cdxml-definition
-->


<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">
  <!--referencing the WMI class this cdxml uses-->
  <Class ClassName="Root/CIMV2\Win32_Account" ClassVersion="2.0">
    <Version>1.0</Version>
    <!--default noun used by Get-cmdlets and when no other noun is specified. By convention, we use the prefix "WMI" and the base name of the WMI class involved. This way, you can easily identify the underlying WMI class.-->
    <DefaultNoun>WmiAccount</DefaultNoun>
    <!--define the cmdlets that work with class instances.-->
    <InstanceCmdlets>
      <!--query parameters to select instances. This is typically empty for classes that provide only one instance-->
      <GetCmdletParameters />
      <GetCmdlet>
        <CmdletMetadata Verb="Get" />
        <GetCmdletParameters>
          <QueryableProperties>
            <Property PropertyName="Description">
              <Type PSType="system.string" />
              <RegularQuery AllowGlobbing="true">
                <CmdletParameterMetadata IsMandatory="false" />
              </RegularQuery>
            </Property>
            <Property PropertyName="Domain">
              <Type PSType="system.string" />
              <RegularQuery AllowGlobbing="true">
                <CmdletParameterMetadata IsMandatory="false" />
              </RegularQuery>
            </Property>
            <Property PropertyName="InstallDate">
              <Type PSType="system.datetime" />
              <MinValueQuery>
                <CmdletParameterMetadata PSName="BeforeInstallDate" />
              </MinValueQuery>
              <MaxValueQuery>
                <CmdletParameterMetadata PSName="AfterInstallDate" />
              </MaxValueQuery>
            </Property>
            <Property PropertyName="LocalAccount">
              <Type PSType="switch" />
              <RegularQuery AllowGlobbing="false">
                <CmdletParameterMetadata IsMandatory="false" />
              </RegularQuery>
            </Property>
            <Property PropertyName="Name">
              <Type PSType="system.string" />
              <RegularQuery AllowGlobbing="true">
                <CmdletParameterMetadata IsMandatory="false" />
              </RegularQuery>
            </Property>
            <Property PropertyName="SID">
              <Type PSType="system.string" />
              <RegularQuery AllowGlobbing="true">
                <CmdletParameterMetadata IsMandatory="false" />
              </RegularQuery>
            </Property>
            <Property PropertyName="SIDType">
              <Type PSType="Win32_Account.SIDType" />
              <RegularQuery AllowGlobbing="false">
                <CmdletParameterMetadata IsMandatory="false" />
              </RegularQuery>
            </Property>
          </QueryableProperties>
        </GetCmdletParameters>
      </GetCmdlet>
      <!--defining additional cmdlets that modifies instance properties-->
    </InstanceCmdlets>
  </Class>
  <!--defining enumerations-->
  <Enums>
    <Enum EnumName="Win32_Account.SIDType" UnderlyingType="byte">
      <Value Name="SidTypeUser" Value="1" />
      <Value Name="SidTypeGroup" Value="2" />
      <Value Name="SidTypeDomain" Value="3" />
      <Value Name="SidTypeAlias" Value="4" />
      <Value Name="SidTypeWellKnownGroup" Value="5" />
      <Value Name="SidTypeDeletedAccount" Value="6" />
      <Value Name="SidTypeInvalid" Value="7" />
      <Value Name="SidTypeUnknown" Value="8" />
      <Value Name="SidTypeComputer" Value="9" />
    </Enum>
  </Enums>
</PowerShellMetadata>
'@ | Set-Content -LiteralPath $cdxmlPath -Encoding UTF8

# import module
Import-Module -Name $cdxmlPath -Force -Verbose

# list new cmdlets
Get-Command -Module "Win32_Account"

See here for more information on CDXML and CDXML-based PowerShell modules.

Requirements

To use Win32_Account, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

Win32_Account was introduced on clients with Windows Vista and on servers with Windows Server 2008.

Namespace

Win32_Account lives in the namespace root/cimv2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance.

Implementation

Win32_Account is implemented in CIMWin32.dll and defined in CIMWin32.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\CIMWin32.mof