I am in the process of standing up a new ADCS server, and while doing that I discovered we have several templates that are set to "publish to Active Directory."
While most users only have a few certificates in the userCertificates attribute of their AD account, our helpdesk and sysadmin elevated accounts have hundreds of certs each! Looking online, I found that you can remove them by running:
Set-ADUser $UserName -Certificates $null
However, when running this command using an account with Domain Admin and Enterprise Admin membership, I get the following error:
set-aduser : Insufficient access rights to perform the operation
At line:1 char:1
+ set-aduser $UserName -Certificates $null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: ($UserName:ADUser) [Set-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.SetADUser
I've done a permissions check on the Security tab of the AD User I'm testing this with, and my account have permissions to read and write all of the certificate options. I've tried adding the account to the Certificate Publishers group for fun, to no avail.
Any help is appreciated.



