Created
February 3, 2017 23:04
-
-
Save gjyoung1974/dbe8f30ca85fbe63ca4a39ffc6c40792 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Set up some variables for later use. | |
$seperator = "=","," | |
$ADConfiguration = Get-ADRootDSE | Select configurationNamingContext | |
$OIDPath = "AD:\CN=OID,CN=Public Key Services,CN=Services," + $ADConfiguration.configurationNamingContext.ToString() | |
#Pull the AD certificates from the object | |
$computerObject = Get-ADComputer -Filter * | |
#Forced to iterate through each computer so we can manipulate it later | |
ForEach ($computer in $ComputerObject.Name) { | |
#There are some invalid object names in the AD that I wasn't expecting - linux created objects that don't have certs associated with them, so can be skipped. | |
try {$computerCertificates = Get-ADComputer $computer -Properties "Certificates" } catch { continue } | |
#Iterate through each certificate associated with this particular computer object. | |
ForEach ($cert in $computerCertificates.Certificates) { | |
#Since the object comes in as X509Certificate and not X509Certificate2, we have to convert it first | |
$ExpandedCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $cert | |
#We want the template, not the number - since that can vary between domains. | |
#I'll do this by pulling the template OID number then resolve it via AD. | |
$template = $ExpandedCert.Extensions.format(0) | sls Template | |
$template = $template.ToString().Split($seperator)[1] | |
$templateName = Get-ChildItem $OIDPath -Properties * | Where-Object -Property msPKI-Cert-Template-OID -eq $template.ToString() | |
If ($templateName.displayName -contains "RemoteDesktop" -or $template.ToString() -eq "1.3.6.1.4.1.311.21.8.9507884.11704457.14173332.16697756.2823021.237.5964433.13902755") { | |
If ($templateName.displayName -eq $null) { | |
$templateID = $template.ToString() | |
} | |
else { | |
$templateID = $templateName.displayName | |
} | |
Write-Host "Removing Certificate" $ExpandedCert.Thumbprint "issued to" $ExpandedCert.SubjectName.Name "with template name and/or identifier" $templateID "from AD Object" $computer.ToString() | |
Set-ADComputer $computer -Certificates @{Remove=$cert} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment