-->

Sunday, December 17, 2017

Exchange/AD - Get Mail Encryption Certs Assigned to Users

This is just a quick post; mostly for my own records. My boss asks me to find user certificates all the time, and after googling around I remember that "hey, I already know how to do this!" But just in case you need to find this info as well, here ya go!

We recently changed our RootCA which provides our certs for encrypting messages in Exchange, and found that some users were getting prompts in Outlook saying it couldn't open messages because the digital ID couldn't be found.

In order to see which users were still assigned an old cert, I came up with the following cmdlets that will spit out a CSV with the user (subject) and issuer (which CA).

You'll need to run this in the AD PowerShell, or from the Exchange Management Shell (which loads AD modules automatigically).

First, load the variable:

$users = Get-ADUser -Filter * -SearchBase "OU=users,DC=domain,DC=com" -Properties "certificates"

**Note** Change "OU=users,DC=domain,DC=com" to the OU you want to search through. If you want to grab the whole domain, use "DC=domain,DC=com" and change domain to your domain name.

Next, run:

$users.certificates | select subject,issuer | Export-Csv C:\Temp\Certs.csv

**Note** Change "C:\Temp\Certs.csv" to wherever you want to save the CSV.

Now, give that CSV to whoever pushes out certs, and tell fix it :)

No comments:

Post a Comment