ADCS PowerShell
(Redirected from Adcspowershell)
Jump to navigation
Jump to search
ADCS CMDlets only exist from 2012 R2, and they're pretty useless for now... https://pspki.codeplex.com tries to fix this
Otherwise, there will always be .net and certutil!
get servers
(Get-ADObject -SearchBase "cn=enrollment services,cn=public key services,cn=services,cn=configuration,dc=domain,dc=ext" -SearchScope:OneLevel -filter * -properties *).dnshostname
dump all certificates and count them
certutil -view -out "CertificateTemplate,request.submittedwhen" -restrict "NotBefore > 08/20/2009" csv > out.txt
$FileContents = gc out.txt
write-host "Total rows:" $FileContents.length
$GroupedCounts = $FileContents | group | sort count –Descending
$GroupedCounts | format-table Count,Name -auto
get all templates and parse security
certutil -template
$numberoftemplates = (($security -match "Templates:") -split " ")[0]
$report=@()
[int]$i=0
for($templ=0;$templ -lt $numberoftemplates;$templ++)
{
$begin = [array]::indexof($security," Template[$i]:")
$i++
$end=0
if($templ -eq ($numberoftemplates - 1))
{$end = [array]::indexof($security," CertUtil: -Template command completed successfully.")}
else
{$end = [array]::indexof($security," Template[$i]:")}
$certObj = "" | Select TemplatePropCommonName,TemplatePropFriendlyName,TemplatePropSecurityDescriptor
$certObj.TemplatePropCommonName=($security[$begin+1]).split("=")[1].trim(" ")
$certObj.TemplatePropFriendlyName=($security[$begin+2]).split("=")[1].trim(" ")
$certObj.TemplatePropSecurityDescriptor=($security[$begin+3]).split("=")[1].trim(" ")
for([int]$j=$begin+5;$j -lt ($end-3);$j++)
{
$report += New-Object -TypeName PSObject -Property @{
type = $security[$j].split("`t")[0].trim(" ")
group = $security[$j].split("`t")[1].trim(" ")
TemplatePropCommonName = $certObj.TemplatePropCommonName
TemplatePropFriendlyName = $certObj.TemplatePropFriendlyName
TemplatePropSecurityDescriptor = $certObj.TemplatePropSecurityDescriptor
}
}
}
$report | ?{$_.group -notlike "*admin*" -and $_.group -notlike "*enterprise*" -and $_.type -ne "Allow Read" -and $_.group -notlike "*\Domain Controllers"}