Home / server / Questions / 325346
Accepted
ewall
Asked: 2011-10-28 06:07:12 +0800 CST

Run `certutil -DCInfo` on a different target domain

  • 772

It seems that running certutil.exe -DCInfo Verify will check the certificates for all domain controllers in the domain of the logged-in user account.

In our AD forest, we have a handful of domains. I only have a unique account in two of them, but have administrative permissions over all of them.

Is there a way I can run the command to target a different domain than the one I'm logged into, or do I really have to have an account in each one?!

Alternately, is there another way to accomplish the same goal?

domain-controller active-directory certificate-authority ad-certificate-services

3 Answers

  1. Best Answer

    certutil works in the user context from which it is called.

    It seems unlikely that you will be able to achieve what you want without an account on each domain, unless you can think of a way to impersonate the other users - which would probably require calling into the Win32 API. Here's a SO question which might help you if you decide to go down that route.

    • 0

    1. What happens if you use psexec to execute the certutil.exe command on a domain controller belonging to each domain that you would like to target, using your trusted domain admin account from another domain in the forest?

    2. Alternately, can you use your domain admin privileges to create a svc_certchk account in each domain?

    • 0

  3. After running into the same issue I was able to get the information I needed via Powershell thanks to someone else's blog post.

    Credit: (original link if it's still online when you read this)

    http://blogs.technet.com/b/heyscriptingguy/archive/2011/02/16/use-powershell-and-net-to-find-expired-certificates.aspx

    Code:

    $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\dc1\My","LocalMachine")
$store.Open("ReadOnly")
$store.Certificates

    You can then parse the resulting certificate objects. There may be some access issues to work through but it all worked fine for me in my environment using an Enterprise Administrator account against 2003 and 2008 servers.

    • 0