question

guyisit avatar image
0 Votes"
guyisit asked HannahXiong-MSFT commented

Can't delete userCertificates in AD User objects

I am in the process of standing up a new ADCS server, and while doing that I discovered we have several templates that are set to "publish to Active Directory."

While most users only have a few certificates in the userCertificates attribute of their AD account, our helpdesk and sysadmin elevated accounts have hundreds of certs each! Looking online, I found that you can remove them by running:
Set-ADUser $UserName -Certificates $null
However, when running this command using an account with Domain Admin and Enterprise Admin membership, I get the following error:
set-aduser : Insufficient access rights to perform the operation
At line:1 char:1
+ set-aduser $UserName -Certificates $null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: ($UserName:ADUser) [Set-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.SetADUser

I've done a permissions check on the Security tab of the AD User I'm testing this with, and my account have permissions to read and write all of the certificate options. I've tried adding the account to the Certificate Publishers group for fun, to no avail.

Any help is appreciated.

windows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @guyisit,

Hope you are doing well.

We are checking in to see if the provided information is helpful. If the reply is helpful, we would greatly appreciate it if you would accept it as answer.

Please let us know if you would like further assistance. Thanks.

Best regards,
Hannah Xiong

0 Votes 0 ·

Hi @guyisit,

Good day!


I would like to know how things are going on your end. If you have any questions or concerns about the recent information I provided, please don't hesitate to let me know.


It's my pleasure to be of assistance and I look forward to hearing from you.


Best regards,
Hannah Xiong

0 Votes 0 ·

1 Answer

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered

Hi @guyisit,

Thanks for posting here.

I tested with the below powershell command with Domain Admin and run the powershell as administrator. It could successfully delete it.

$User = "Bella"
Set-ADUser -Identity $User -Clear userCertificate

109156-image.png

Before running the command:

109167-image.png
109168-image.png


After running the command:

109138-image.png

Best regards,
Hannah Xiong



image.png (5.6 KiB)
image.png (49.8 KiB)
image.png (24.4 KiB)
image.png (49.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.