2

It seems that running certutil.exe -DCInfo Verify will check the certificates for all domain controllers in the domain of the logged-in user account.

In our AD forest, we have a handful of domains. I only have a unique account in two of them, but have administrative permissions over all of them.

Is there a way I can run the command to target a different domain than the one I'm logged into, or do I really have to have an account in each one?!

Alternately, is there another way to accomplish the same goal?

ewall
  • 1,064
  • 3
  • 15
  • 23

3 Answers3

0

certutil works in the user context from which it is called.

It seems unlikely that you will be able to achieve what you want without an account on each domain, unless you can think of a way to impersonate the other users - which would probably require calling into the Win32 API. Here's a SO question which might help you if you decide to go down that route.

Community
  • 1
crb
  • 7,998
  • 1
  • 38
  • 53
  • Interesting, I may fool around with the impersonation code just for fun, but in the meantime I'll probably need accounts in each sub-domain. Thanks! – ewall Nov 14 '11 at 14:37
0

  1. What happens if you use psexec to execute the certutil.exe command on a domain controller belonging to each domain that you would like to target, using your trusted domain admin account from another domain in the forest?

  2. Alternately, can you use your domain admin privileges to create a svc_certchk account in each domain?

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
  • As @crb mentioned, `certutil` runs in the user context, so no matter what DC I run it on it will run for the domain of the executing user account. Yes, I could create accounts in each domain, which is what I was trying to avoid, but I suppose that's the only reasonable option. – ewall Nov 14 '11 at 14:35
0

After running into the same issue I was able to get the information I needed via Powershell thanks to someone else's blog post.

Credit: (original link if it's still online when you read this)

http://blogs.technet.com/b/heyscriptingguy/archive/2011/02/16/use-powershell-and-net-to-find-expired-certificates.aspx

Code:

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\dc1\My","LocalMachine")
$store.Open("ReadOnly")
$store.Certificates

You can then parse the resulting certificate objects. There may be some access issues to work through but it all worked fine for me in my environment using an Enterprise Administrator account against 2003 and 2008 servers.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
Matt
  • 1,903
  • 13
  • 12