Working with Active Directory Certificate Services from Windows PowerShell
In Active Directory Certificate Services, the primary administration interface is the MMC snap-in Certification Authority exposed through Server Manager in Windows Server 2008 and Windows Server 2008 R2:
More advanced administration options is available through the command line utility certutil.exe.
I recently worked with an environment with an unusual amount of issued certificates (several hundreds of thousands), and working with the MMC-tools was not efficient.
I first started by exporting the issued certificates to a CSV-file by using certutil.exe`s csv option. This options seems to be new in Windows Server 2008 R2, although I haven`t found any documentation on this. Actually it`s possible to use certutil.exe from a Windows Server 2008 R2 member server against a Certification Authority running an earlier version of Windows Server to export issued certificates to CSV. It should also be noted that this can be accomplished using the Export List option in the Certification Authority MMC in both Windows Server 2008 R2 and earlier versions of Windows Server.
When the CSV-file are exported, we can import it to Windows PowerShell and do things like grouping and sorting:
|
001
002 003 004 005 006 007 008 009 010 011 |
#Export certificates to CSV
certutil -view -out "RequestID,RequesterName,RequestType,NotAfter,CommonName,Certificate Template" csv > c:\temp\certs.csv #Import CSV #Group by requester name, and sort by count #Work further with a specific computer based on the above results |
Note that using CSV when working with very large data sets might consume large amounts of system resources (up to 2,5 GB in my case), so this might not be the best approach. Another option would be to work directly against the Certification Authority database, where we can set filters directly on the queries.
There are several Com-objects available for working with Active Directory Certificate Services, which makes it possible to work directly against the Certification Authority database from PowerShell.
PowerShell MVP Vadim Podans has written a blog-post showing how this can be accomplished.
Another Com-object to look into is the ICertAdmin2 Interface, which can be accessed from PowerShell like this:
|
001
002 003 004 005 006 007 008 009 010 011 012 013 014 |
#Create Com-object
$certadmin = new-object -com "CertificateAuthority.Admin.1" #Explore Com-object #Sample usage for one of the available methods |
How to use the new Active Directory Recycle Bin feature
In Windows Server 2008 R2 there is a new feature called Active Directory Recycle Bin. This feature makes it possible to restore deleted objects in Active Directory without restore from backup.
Opposite to restoring tomb stoned objects, all object parameters are remained (group membership, sn, dn, and so on).
Active Directory Recycle Bin are disabled by default, even in new Windows Server 2008 R2 domains. As a prerequisite, the forest mode must be set to Windows Server 2008 R2.
When all domain controllers are running Windows Server 2008 R2, this can be accomplished by using the Active Directory module in PowerShell:
Set-ADForestMode –Identity domain.local -ForestMode Windows2008R2Forest
You may also use ldp.exe or the GUI tool “Active Directory Domains and Trusts”.
You can use the Get-ADOptionalFeature to check if the Recycle Bin Feature are enabled.
Before enabling the feature:
After enabling the feature:
When the prerequisites are met, the Active Directory Recycle Bin-feature can be enabled.
Either using the Active Directory module in PowerShell:
Or by using ldp.exe.
When the feature are enabled it`s a good idea to perform some testing. By default all deleted objects are placed in the Deleted Objects container.
In my test I first created a user named “Test User”, and then deleted the user object:
This will retrieve all deleted user objects:
This will restore all deleted user objects:
This will restore a specific user object:
For those of you that are more comfortable using a GUI rather than the PowerShell command-line, a GUI tool for using this new feature are already available. Check out Kirk Munro`s PowerGUI PowerPack for Active Directory Recycle Bin.
This blogpost are based on the official Microsoft documentation on Technet, provided in the Active Directory Recycle Bin Step-by-Step Guide.
About
Jan Egil Ring works as a Senior Consultant on the Infrastructure Team at Crayon, Norway.
He mainly works with Microsoft server-products, and has a strong passion for Windows PowerShell. In addition to being a consultant, he is a Microsoft Certified Trainer.
He has obtained several certifications such as MCITP: Enterprise Administrator and MCITP: Enterprise Messaging Administrator. For more details see his MCP Virtual Business Card.
In January 2011, he was awarded the Microsoft Most Valuable Professional Award for his contributions in the Windows PowerShell technical community.
His engagements as a speaker includes TechDays in Norway, as well as a Microsoft Office 365 bootcamp for Microsoft partners in Norway.
He is a co-founder of the Norwegian Microsoft Technology User Group (MTUG), which is an assosication of local MTUG user groups in Norway.
His intentions with this blog is to share experiences based on various projects and troubleshooting, as well as sharing different resource links to technologies he works with.
Google Reader – My Shared Items- Kill cmd.exe Bartek Bielawski
- SCVMM 2012 Quick Tip: Finding which storage arrays a Hyper-V host can see hector.linares
- On Becoming a Senior Technical Individual Contributor jsnover
- Fix for "You must close all dialog boxes before you can close Exchange Management Console" in Exchange 2010 Jeff
- The Windows 8 Task Manager Steven Sinofsky
