
function Get-PASAccount {
Returns details of matching accounts. (Version 10.4 onwards)
Returns information about a single account. (Version 9.3 - 10.3)

Version 10.4 onwards:
This method returns a list of either a specific, or all the accounts in the Vault.
Requires the following permission in the Safe: List accounts.

Version 9.3 - 10.3:
Returns information about an account. If more than one account meets the search criteria,
only the first account will be returned (the Count output parameter will display the number
of accounts that were found).
Only the following users can access this account:
    - Users who are members of the Safe where the account is stored
    - Users who have access to this specific account.
    - The user who runs this web service requires the following permission in the Safe:
    - Retrieve account
This method does not display the actual password.
If ten or more accounts are found, the Count Output parameter will show 10.

A specific account ID to return details for.

The search term or keywords.

An account property to sort the results by.

An offset for the search results (to discard the first x results for instance).

A limit for the number of results to return.

A filter for the search.

Keyword to search for.
If multiple keywords are specified, the search will include all the keywords.
Separate keywords with a space.

The name of a Safe to search. The search will be carried out only in the Safes in the Vault
that the authenticated used is authorized to access.

.PARAMETER sessionToken
Hashtable containing the session token returned from New-PASSession

WebRequestSession object returned from New-PASSession

PVWA Web Address
Do not include "/PasswordVault/"

The name of the CyberArk PVWA Virtual Directory.
Defaults to PasswordVault

.PARAMETER ExternalVersion
The External CyberArk Version, returned automatically from the New-PASSession function from version 9.7 onwards.

$token | Get-PASAccount

Returns all accounts on safes where your user has "List accounts" rights.
This will only work from version 10.4 onwards.

$token | Get-PASAccount -search root -sort name -offset 100 -limit 5

Returns all accounts matching "root", sorted by AccountName, Search results offset by 100 and limited to 5.

$token | Get-PASAccount -Keywords root -Safe UNIX

Finds account(s) matching keywords in UNIX safe:

AccountID : 19_6
Safe : UNIX
Folder : Root
Name : UNIXSSH-machine-root
UserName : root
PlatformID : UNIXSSH
DeviceType : Operating System
Address : machine

$token | Get-PASAccount -Keywords xtest

Finds accounts matching the specified keyword.
Only the first matching account will be returned.
If multiple accounts are found, a warning will be displayed before the result:

WARNING: 3 matching accounts found. Only the first result will be returned

AccountID : 19_9
Safe : TestSafe
Folder : Root
Name : Application-Cyberark-
UserName : xTest3
PlatformID : Cyberark
DeviceType : Application
Address :

All parameters can be piped by property name
Should accept pipeline objects from other *-PASAccount functions

Outputs Object of Custom Type psPAS.CyberArk.Vault.Account
SessionToken, WebSession, BaseURI are passed through and
contained in output object for inclusion in subsequent
pipeline operations.
AccountID, Account Safe, Safe Folder, Account Name,
and any other set property of the account are contained in output.

Output format is defined via psPAS.Format.ps1xml.
To force all output to be shown, pipe to Select-Object *
New functionality added in version 10.4, limited functionality before this version.


    [CmdletBinding(DefaultParameterSetName = "v10ByQuery")]
            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true,
            ParameterSetName = "v10ByID"

            Mandatory = $false,
            ValueFromPipelinebyPropertyName = $true,
            ParameterSetName = "v10ByQuery"

            Mandatory = $false,
            ValueFromPipelinebyPropertyName = $true,
            ParameterSetName = "v10ByQuery"

            Mandatory = $false,
            ValueFromPipelinebyPropertyName = $true,
            ParameterSetName = "v10ByQuery"

            Mandatory = $false,
            ValueFromPipelinebyPropertyName = $true,
            ParameterSetName = "v10ByQuery"

            Mandatory = $false,
            ValueFromPipelinebyPropertyName = $true,
            ParameterSetName = "v10ByQuery"

            Mandatory = $false,
            ValueFromPipelinebyPropertyName = $true,
            ParameterSetName = "v9"
        [ValidateLength(0, 500)]

            Mandatory = $false,
            ValueFromPipelinebyPropertyName = $true,
            ParameterSetName = "v9"
        [ValidateLength(0, 28)]

            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true

        [parameter(ValueFromPipelinebyPropertyName = $true)]

            Mandatory = $true,
            ValueFromPipelinebyPropertyName = $true

            Mandatory = $false,
            ValueFromPipelinebyPropertyName = $true
        [string]$PVWAAppName = "PasswordVault",

            Mandatory = $false,
            ValueFromPipelinebyPropertyName = $true
        [System.Version]$ExternalVersion = "0.0"


    BEGIN {
        $MinimumVersion = [System.Version]"10.4"


        #Get Parameters to include in request
        $boundParameters = $PSBoundParameters | Get-PASParameter

        #Create Query String, escaped for inclusion in request URL
        $query = ($boundParameters.keys | ForEach-Object {

                "$_=$($boundParameters[$_] | Get-EscapedString)"

            }) -join '&'

        #Version 10.4 process
        If($PSCmdlet.ParameterSetName -match "v10") {

            #check minimum version
            Assert-VersionRequirement -ExternalVersion $ExternalVersion -RequiredVersion $MinimumVersion

            #assign new type name
            $typeName = "psPAS.CyberArk.Vault.Account.V10"

            #define base URL
            $URI = "$baseURI/$PVWAAppName/api/Accounts"

            If($PSCmdlet.ParameterSetName -eq "v10ByQuery") {
                #define query URL
                $URI = "$URI`?$query"

            If($PSCmdlet.ParameterSetName -eq "v10ByID") {

                #define "by ID" URL
                $URI = "$URI/$id"



        #legacy process
        If($PSCmdlet.ParameterSetName -eq "v9") {

            #assign type name
            $typeName = "psPAS.CyberArk.Vault.Account"

            #Create request URL
            $URI = "$baseURI/$PVWAAppName/WebServices/PIMServices.svc/Accounts?$query"


        #Send request to web service
        $result = Invoke-PASRestMethod -Uri $URI -Method GET -Headers $sessionToken -WebSession $WebSession

        if($result) {

            #Get count of accounts found
            $count = $($result.count)

            #Version 10.4 individual account process
            If($PSCmdlet.ParameterSetName -eq "v10ByID") {

                $return = $result


            #If accounts found
            if($count -gt 0) {

                Write-Verbose "Accounts Found: $count"

                #Version 10.4 query process
                If($PSCmdlet.ParameterSetName -eq "v10ByQuery") {

                    #get results
                    $return = ($result | Select-Object value).value


                #legacy process
                If($PSCmdlet.ParameterSetName -eq "v9") {

                    #If multiple accounts found
                    if($count -gt 1) {

                        #Alert that web service only displays information on first result
                        Write-Warning "$count matching accounts found. Only the first result will be returned"


                    #Get account details from search result
                    $account = ($result | Select-Object accounts).accounts

                    #Get account properties from found account
                    $properties = ($account | Select-Object -ExpandProperty properties)

                    #Create output object
                    $return = New-object -TypeName psobject -Property @{

                        #Internal Unique ID of Account
                        "AccountID" = $($account | Select-Object -ExpandProperty AccountID)


                    #For every account property
                    For($int = 0; $int -lt $properties.length; $int++) {

                        $return |

                        #Add each property name and value to results
                        Add-ObjectDetail -PropertyToAdd @{$properties[$int].key = $properties[$int].value} -Passthru $false





        if($return) {

            #Return Results
            $return | Add-ObjectDetail -typename $typeName -PropertyToAdd @{

                "sessionToken"    = $sessionToken
                "WebSession"      = $WebSession
                "BaseURI"         = $BaseURI
                "PVWAAppName"     = $PVWAAppName
                "ExternalVersion" = $ExternalVersion




    END {}#end
