get-qaduser and filtering on secondary owners

Question

hi! 
 
 we have service / application accounts with secondary owners defined. As one example the below query syntax does not return any results 
 
 get-qaduser -SearchRoot 'CN=Active Directory' -scope Subtree -Sizelimit 10 -LdapFilter '(edsva SecondaryOwners=*)' -ReturnDNOnly 
 
 For the filter I have tried 'SecondaryOwners' and edsvaSecondaryOwners 
 if I filter on edsvaSecondaryOwnerguids - it works,I get results... 
 >get-qaduser -SearchRoot 'CN=Active Directory' -scope Subtree -SizeLimit 10 -LdapFilter '(edsvaSecondaryOwnerguids=*)' -ReturnDNOnly 
 ...but dealing with the guid vs. name is a little bit more work and not, intuitive for some of the admins using the cmdlets. Has anybody else seen this behavior?

JohnnyQuest · Accepted Answer

I got to thinking about your requirement and would offer the following suggestion: 
 Have you considered creating an ARS Managed Unit to hold these accounts? 
 Once you delegate to them the ability to see it, your admins could simply query the contents of the Managed Unit when they want to manipulate these accounts. 
 The membership rule for the Managed Unit would be (for User objects) "edsvaSecondaryOwnerGUIDs present" plus any OU scoping you might want to do (i.e. based on where these accounts live in AD if you care to be that precise) 
 Then when you want to enumerate your service accounts, all you have to do in PoSh is this: 
 get-qaduser -searchroot "CN=My Service Account MU, CN=Managed Units,CN=Configuration" -proxy 
 Pretty easy for your admins yes?