trimarcjake / adcs-snippets Goto Github PK

The README mentions two subdirectories and files that are not included in this repo. Is that by design or mistake?
• CA\AuditFilter
• policy\EditFlags

Hi,
I ran into a small issue when running the PowerShell commands. I received the following error “Get-ADRootDSE : The server has rejected the client credentials.”. We have hardened our AD environment, which I suspect is why the commands did not work. After digging around and testing, modified the code as below to get things working.

$auth = Get-Credential
$ADRoot = (Get-ADRootDSE -Credential $auth).rootDomainNamingContext
$Safe_Owners = "Enterprise Admins|Domain Admins|Administrators"
$ADCS_Objects = Get-ADObject -Credential $auth -Filter * -SearchBase "CN=Public Key Services,CN=Services,CN=Configuration,$ADRoot" -SearchScope 2 -Properties *
$ADCS_Objects | Where-Object {
$_.nTSecurityDescriptor.Owner -notmatch $Safe_Owners
} | Format-Table Name,DistinguishedName

I hope this helps someone who had the same issue.

Regards
Stephen

Hi. I might be wrong and I didn't test it yet, but you are filtering the above setting for a 1 in "Find Templates with Bad Configs". Wouldn't a 9 be equally critical? I mean for renewals, it seems to be locked by this option, but isn't it the same risk for new certs as with a 1?