One of the most frequent questions I am asked about the DSInternals PowerShell Module cmdlets that fetch password hashes from Active Directory (Get-ADReplAccount and Get-ADDBAccount) is whether they could only return accounts from a specified organizational unit (OU). While OU-based filtering is not yet implemented in DSInternals directly, two PowerShell built-in features could be used to achieve this goal.

A. Where-Object

The Where-Object cmdlet can easily be used to filter out unwanted objects based on any property, including OU:

<#
Replicates all AD accounts (DCSync), filters them by the Admins OU,
and tests their passwords against Have I Been Pwned (HIBP) list.
#>
Get-ADReplAccount -All -Server 'dc01.contoso.com' |
    Where-Object DistinguishedName -like '*,OU=Admins,DC=contoso,DC=com' |
    Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v7.txt

Sample output:

Active Directory Password Quality Report
----------------------------------------

Passwords of these accounts are stored using reversible encryption:
  CONTOSO\Administrator

LM hashes of passwords of these accounts are present:

These accounts have no password set:

Passwords of these accounts have been found in the dictionary:
  CONTOSO\Administrator
  CONTOSO\jdoe_admin

These groups of accounts have the same passwords:
  Group 1:
    CONTOSO\dholden_admin
    CONTOSO\jsmith_admin
  Group 2:
    CONTOSO\pgoldman_admin
    CONTOSO\sgates_admin

These computer accounts have default passwords:

Kerberos AES keys are missing from these accounts:
  CONTOSO\Administrator

Kerberos pre-authentication is not required for these accounts:

Only DES encryption is allowed to be used with these accounts:

These accounts are susceptible to the Kerberoasting attack:
  CONTOSO\jsmith_admin

These administrative accounts are allowed to be delegated to a service:
  CONTOSO\Administrator
  CONTOSO\dholden_admin
  CONTOSO\jsmith_admin

Passwords of these accounts will never expire:
  CONTOSO\Administrator

These accounts are not required to have a password:

These accounts that require smart card authentication have a password:
  CONTOSO\jsmith_admin

B. Pipeline Input

The second option is to first fetch the desired accounts using the Get-ADUser cmdlet and then pipe them into DSInternals:

<#
Fetches the list of all acounts from the Admins OU,
replicates their passwords, and checks them against the HIBP list.
#>
Get-ADUser -SearchBase 'OU=Admins,DC=contoso,DC=com' -Filter * |
    Select-Object -Property ObjectGuid |
    Get-ADReplAccount -Server 'dc01.contoso.com' |
    Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v7.txt

I will probably add these two examples to the Get-Help documentation.