gjyoung1974/AD Cert Cleanup.ps1

## AD Cert Cleanup.ps1
#Set up some variables for later use.
$seperator = "=",","
$ADConfiguration = Get-ADRootDSE | Select configurationNamingContext
$OIDPath = "AD:\CN=OID,CN=Public Key Services,CN=Services," + $ADConfiguration.configurationNamingContext.ToString()

#Pull the AD certificates from the object
$computerObject = Get-ADComputer -Filter *

#Forced to iterate through each computer so we can manipulate it later
ForEach ($computer in $ComputerObject.Name) {

    #There are some invalid object names in the AD that I wasn't expecting - linux created objects that don't have certs associated with them, so can be skipped.
    try {$computerCertificates = Get-ADComputer $computer -Properties "Certificates" } catch { continue }

    #Iterate through each certificate associated with this particular computer object.
    ForEach ($cert in $computerCertificates.Certificates) {

        #Since the object comes in as X509Certificate and not X509Certificate2, we have to convert it first

        $ExpandedCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $cert

        #We want the template, not the number - since that can vary between domains.
        #I'll do this by pulling the template OID number then resolve it via AD.
        $template = $ExpandedCert.Extensions.format(0) | sls Template
        $template = $template.ToString().Split($seperator)[1]
        $templateName = Get-ChildItem $OIDPath -Properties * | Where-Object -Property msPKI-Cert-Template-OID -eq $template.ToString()

        If ($templateName.displayName -contains "RemoteDesktop" -or $template.ToString() -eq "1.3.6.1.4.1.311.21.8.9507884.11704457.14173332.16697756.2823021.237.5964433.13902755") {

            If ($templateName.displayName -eq $null) {
                $templateID = $template.ToString()
            }
            else {
                $templateID = $templateName.displayName
            }
            Write-Host "Removing Certificate" $ExpandedCert.Thumbprint "issued to" $ExpandedCert.SubjectName.Name "with template name and/or identifier" $templateID "from AD Object" $computer.ToString()
            Set-ADComputer $computer -Certificates @{Remove=$cert}
        }
    }
}
	#Set up some variables for later use.
	$seperator = "=",","
	$ADConfiguration = Get-ADRootDSE \| Select configurationNamingContext
	$OIDPath = "AD:\CN=OID,CN=Public Key Services,CN=Services," + $ADConfiguration.configurationNamingContext.ToString()

	#Pull the AD certificates from the object
	$computerObject = Get-ADComputer -Filter *

	#Forced to iterate through each computer so we can manipulate it later
	ForEach ($computer in $ComputerObject.Name) {

	#There are some invalid object names in the AD that I wasn't expecting - linux created objects that don't have certs associated with them, so can be skipped.
	try {$computerCertificates = Get-ADComputer $computer -Properties "Certificates" } catch { continue }

	#Iterate through each certificate associated with this particular computer object.
	ForEach ($cert in $computerCertificates.Certificates) {

	#Since the object comes in as X509Certificate and not X509Certificate2, we have to convert it first

	$ExpandedCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $cert

	#We want the template, not the number - since that can vary between domains.
	#I'll do this by pulling the template OID number then resolve it via AD.
	$template = $ExpandedCert.Extensions.format(0) \| sls Template
	$template = $template.ToString().Split($seperator)[1]
	$templateName = Get-ChildItem $OIDPath -Properties * \| Where-Object -Property msPKI-Cert-Template-OID -eq $template.ToString()

	If ($templateName.displayName -contains "RemoteDesktop" -or $template.ToString() -eq "1.3.6.1.4.1.311.21.8.9507884.11704457.14173332.16697756.2823021.237.5964433.13902755") {

	If ($templateName.displayName -eq $null) {
	$templateID = $template.ToString()
	}
	else {
	$templateID = $templateName.displayName
	}
	Write-Host "Removing Certificate" $ExpandedCert.Thumbprint "issued to" $ExpandedCert.SubjectName.Name "with template name and/or identifier" $templateID "from AD Object" $computer.ToString()
	Set-ADComputer $computer -Certificates @{Remove=$cert}
	}
	}
	}