Background
Due to low-budget constraints we are using roaming credentials instead of smart cards in our environment.
Problem
Now we have recognized that the relevant AD user attributes became quite large, particularly msPKIDPAPIMasterKeys
and msPKIAccountCredentials
. Looking at the users certificate stores, we see there are many certificates that are not valid (expired) anymore.
This situation results in unnecessary WAN traffic (LDAP to be specific) and data that gets transfered each time a group policy background/foreground refresh, etc. takes place.
E.g. the HP UPD driver notification 'feature' queries via LDAP the first 100 user objects in AD to determine if it should display a balloon or not... of course this can be disabled what we are about to do. I just brought up that example to illustrate how large AD objects can have a big impact on DC performance and WAN saturation.
Question
What would be the best way to purge all stale (expired) PKI data from the AD user objects?