get AD User Object cert in remote session

by davetechsearch at 2013-04-02 11:37:06

Is there a way to ‘see’ the Certificate(s) in the AD User Object container in a remote session (for the user that initiated the session)?

(gci cert]

This errors out when running the cmd:
The system cannot open the device or file specified.
+ CategoryInfo :
+ FullyQualifiedErrorId : System.Security.Cryptography.CryptographicExc
by coderaven at 2013-04-02 11:51:15
There are a few different ways to get that information noted here

If you have remoting enabled, it is pretty easy, if not, I liked this solution:

function Get-Cert( $computer=$env:computername ){



$store=new-object System.Security.Cryptography.X509Certificates.X509Store("\$computer\root",$lm)




Get-Cert "REMOTECOMPUTER"| ?{$_.NotAfter -lt (Get-Date)} | format-list -property PSPath,FriendlyName,NotAfter

The code needs a little cleanup and I have not tested it. Let me know how it goes.
by davetechsearch at 2013-04-02 12:05:28
I’ll give that a try with what I’m trying to do… I should probably provide more detail:

1. I remote to a machine
2. I attempt to get list the certificiates in UserDS (for the remoting user) while in the remote session
3. Getting a listing of the contents of this container errors out. Listing other containers under \CurrentUser\ works just fine.
by davetechsearch at 2013-04-02 12:14:29
This is what I am running… runs fine locally, but still errors out at — "$store.oppen($ro)" — when in the remote session.

$ro = []"ReadOnly"
$cu = []"CurrentUser"
$store = new-object"userds","$cu")

Exception calling "Open" with "1" argument(s): "The system cannot open the d
evice or file specified.
At line:1 char:12
+ $ <<<< ($ro)
+ CategoryInfo : NotSpecified: (:slight_smile: , MethodInvocationExcepti
+ FullyQualifiedErrorId : DotNetMethodException

As for my original intention… I was hoping to encrypt some data locally (encryption and decryption work fine locally), send it over the wire to its destination and decrypt it at the other end for use. I was hoping to use the thumbprint from the UserDS container to perform the encryption/decryption.