Hey Scripting guys!

I am in serious trouble; I need to append X.509 certificates to an AD account, ASAP. Using the following script I can overwrite but I cant append, I need to keep any X.509 certs that are in the account alone. Using arrays I can pull the string from the first account and apply it to the second account. The problem is if there is an existing string, it gets overwritten.  Can you guys help ?

$oguser = get-aduser Smith -Properties userPrincipalName,altSecurityIdentities $altsecid = $oguser.altSecurityIdentities $user = Get-ADUser AdminSmith -Properties userPrincipalName,altSecurityIdentities $user.altSecurityIdentities = $altsecid Set-ADUser -instance $user

Enter the following key words into a search engine:

powershell set-aduser append

lots of examples and details.

Hi David,

Please refer to the certificates section of Set-ADUser. Shouldn't be much different if your 'altSecurityIdentities' is a multivalued attribute.

Certificates

Modifies the DER-encoded X.509v3 certificates of the account. These certificates include the public key certificates issued to this account by the Microsoft Certificate Service. This parameter sets the Certificates property of the account object. The LDAP Display Name (ldapDisplayName) for this property is "userCertificate".

Syntax:
To add values:
-Certificates @{Add=value1,value2,...}

The following example shows how to create a certificate by using the New-Object cmdlet, and then add it to a user account. When this cmdlet is run, <certificate password> is replaced by the password used to add the certificate.

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate certificate1.cer <certificate password>
Set-ADUser saradavis -Certificates @{Add=$cert}