ADCS PowerShell

(Get-ADObject -SearchBase "cn=enrollment services,cn=public key services,cn=services,cn=configuration,dc=domain,dc=ext" -SearchScope:OneLevel -filter * -properties *).dnshostname

certutil -view -out "CertificateTemplate,request.submittedwhen" -restrict "NotBefore > 08/20/2009" csv > out.txt 
$FileContents = gc out.txt 
write-host "Total rows:" $FileContents.length 
$GroupedCounts = $FileContents | group | sort count –Descending 
$GroupedCounts | format-table Count,Name -auto

certutil -template
$numberoftemplates = (($security -match "Templates:") -split " ")[0]
$report=@()
[int]$i=0
for($templ=0;$templ -lt $numberoftemplates;$templ++)
{
	$begin = [array]::indexof($security,"  Template[$i]:")
	$i++
	$end=0
	if($templ -eq ($numberoftemplates - 1))
	{$end = [array]::indexof($security,"  CertUtil: -Template command completed successfully.")}
	else
	{$end = [array]::indexof($security,"  Template[$i]:")}

	$certObj = "" | Select TemplatePropCommonName,TemplatePropFriendlyName,TemplatePropSecurityDescriptor

	$certObj.TemplatePropCommonName=($security[$begin+1]).split("=")[1].trim(" ")
	$certObj.TemplatePropFriendlyName=($security[$begin+2]).split("=")[1].trim(" ")
	$certObj.TemplatePropSecurityDescriptor=($security[$begin+3]).split("=")[1].trim(" ")

	for([int]$j=$begin+5;$j -lt ($end-3);$j++)
	{
		$report += New-Object -TypeName PSObject -Property @{ 
					type = $security[$j].split("`t")[0].trim(" ")
					group = $security[$j].split("`t")[1].trim(" ")
					TemplatePropCommonName = $certObj.TemplatePropCommonName
					TemplatePropFriendlyName = $certObj.TemplatePropFriendlyName
					TemplatePropSecurityDescriptor = $certObj.TemplatePropSecurityDescriptor
				}
	}
}
$report | ?{$_.group -notlike "*admin*" -and $_.group -notlike "*enterprise*" -and $_.type -ne "Allow Read" -and $_.group -notlike "*\Domain Controllers"}