0

I'm trying to confirm a certain certificate is installed on all computer in the Trusted Root Certification Authority folder. This is what I have so far:

    $Computers = Get-ADComputer -Filter {Enabled -eq $True} -searchbase "OU=xyz,DC=xyz,DC=xyz,DC=com" | select name
foreach($Computer in $Computers){
   If (Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "xyz thumbprint"})

{
Write-Host "$computer.Installed"
}

else

{
Write-Host "$computer.Not Installed"
}

    }

If I run the if statement on the local machine, it says it's installed. If I run it for the entire OU, it says it's not installed. What am I doing wrong here?

user615258
  • 1
  • 1

1 Answers1

0

You are not actually using the variable $Computer in your Get-ChildItem command; thus your foreach loop only runs the same command several times on your local machine.
Please note that the variable $Computer is simply the result of a LDAP search; it isn't in any way related to a real computer, and doesn't provide any means to run commands on it.

You can't directly run Get-ChildItem against a remote computer, because it doesn't take a target computer name as a parameter; but you can use Invoke-Command to get around this and run any command on a remote system (provided you have access to it).

This should do the job:

$Computers = Get-ADComputer -Filter {Enabled -eq $True} -searchbase "OU=xyz,DC=xyz,DC=xyz,DC=com"
foreach ($Computer in $Computers) {
    $Cert = Invoke-Command -ComputerName $Computer.Name {
        Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "xyz thumbprint"}
    }
    if($cert -ne $null)
    {
         Write-Host $Computer.Name "- Installed"
    }
    else
    {
         Write-Host $Computer.Name "- Not Installed"
    }
}

I also suggest using Test-Connection to check if a computer is actually active and reachable before running Invoke-Command against it; this would save quite some time.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • When I run that, I get this: @{name=xyz}.Not Installed Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings. At line:3 char:13 + $Cert = Invoke-Command -ComputerName $Computer { + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException + FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand – user615258 Feb 01 '21 at 20:24
  • Apologies for the formatting, but it doesn't seem I can reply. I get the "not installed" on a computer in the specific OU that I know it's installed on and the command works locally. – user615258 Feb 01 '21 at 20:31
  • My bad, $Computer is actually an object containing the result of the LDAP search, so you need to use its "Name" property; see edited answer. – Massimo Feb 01 '21 at 20:46