A colleague asked me if I could list all expiring certificates on all Domain Joined servers in the environment.
– Sure!
A few minutes later, a script that will connect to all Servers and list certificates that will expire in less than 90 days. I’m sure there are a thousand of scripts out there who does the same, and here is script number 1001.
|
1 2 3 |
Invoke-Command -ComputerName (get-adcomputer -LDAPFilter "(&(objectCategory=computer)(operatingSystem=Windows Server*)(!serviceprincipalname=*MSClusterVirtualServer*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -Property name | sort-object Name).Name -Command { get-childitem cert:LocalMachine\My -recurse | where-object {$_.NotAfter -gt (get-date)} | select Subject,FriendlyName,Thumbprint,@{Name="Expires in (Days)";Expression={($_.NotAfter).subtract([DateTime]::Now).days}} | where "Expires in (Days)" -lt 90 } |
The script will get all Windows Server Computer Accounts, that are not expired and is not a virtual object (like a Cluster Service).
It will then connect to those servers and list all Certificates that will expire in less than 90 days.
Short and easy to use, and we did find 2 certificates that need to be replaced ASAP!
Thanks great script.
i get Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri
parameter, or pass URI objects instead of strings.
At E:\scripts\GetMemberServers_Certs.ps1:1 char:1
+ Invoke-Command -ComputerName (get-adcomputer -LDAPFilter “(&(objectCategory=comp …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand