0

Background

Due to low-budget constraints we are using roaming credentials instead of smart cards in our environment.

Problem

Now we have recognized that the relevant AD user attributes became quite large, particularly msPKIDPAPIMasterKeys and msPKIAccountCredentials. Looking at the users certificate stores, we see there are many certificates that are not valid (expired) anymore.

This situation results in unnecessary WAN traffic (LDAP to be specific) and data that gets transfered each time a group policy background/foreground refresh, etc. takes place.

E.g. the HP UPD driver notification 'feature' queries via LDAP the first 100 user objects in AD to determine if it should display a balloon or not... of course this can be disabled what we are about to do. I just brought up that example to illustrate how large AD objects can have a big impact on DC performance and WAN saturation.

Question

What would be the best way to purge all stale (expired) PKI data from the AD user objects?

Matthias Güntert
  • 2,358
  • 11
  • 38
  • 58
  • 1
    We don't use roaming credentials, so I am unsure how to delete only the EXPIRED credentials... Found this that describes how to delete them ALL. Perhaps you could find more details within this article on how to refine the process to accomplish that. http://social.technet.microsoft.com/wiki/contents/articles/11483.credential-roaming.aspx#Deleting_Roaming_Credentials_from_Active_Directory – Clayton Nov 10 '15 at 17:47
  • 1
    See if this helps any too... http://blogs.technet.com/b/xdot509/archive/2013/05/10/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database.aspx – Pimp Juice IT Nov 11 '15 at 03:04

0 Answers0