PowerShell to delete specific user certificates

spiceuser-a5t7l · 2021-04-22T17:16:18.000Z

Hello everyone,
Please bear with me, my exposure to command languages is limited. I am trying to edit a powershell script to keep certain certificates in Certificate Manager while deleting all the other certificates. I have currently have this code:

Whenever I try to run it in PowerShell, it throws errors for any cert other than the three I listed in the first command line that states "Remove-Item : Cannot find drive. A Drive with the name '[Subject] (Cert1, Cert2, Cert3) ’ does not exist.

Does anyone have an edit of this code, or another means by which I can retain XYZ certificates, while removing all other certificates?

 $users = "user1","user2","user3","user4","user5"
 Get-ChildItem Cert:\CurrentUser\My | ForEach-Object {
     $ifkeep = $false
     foreach($user in $users){
         if($_.Subject -match $user){
             $ifkeep = $true
             break
         }
     }
     if($ifkeep -eq $false){
         Remove-Item $_
     }
 }

Neally · 2021-04-22T17:17:56.000Z

If you post code, please use the ‘Insert Code’ button. Please and thank you!

PLEASE READ BEFORE POSTING! Read if you're new to the PowerShell forum! Programming & Development

Hi, and welcome to the PowerShell forum! Don’t apologize for being a “noob” or “newbie” or “n00b.” There’s just no need – nobody will think you’re stupid, and the forums are all about asking questions. Just ask! Use a descriptive subject. Don’t say “Need help” or “PowerShell Help”, actually summarize what the problem is. It helps the rest of us keep track of which problem is which. Don’t post massive scripts. We’re all volunteers and we don’t have time to read all that, nor will we copy…

spiceuser-a5t7l · 2021-04-22T17:39:33.000Z

Hello Neally,
Appreciate the correction, in my rush to get closure on this hurdle of mine, I posted it without thinking. The post has been edited appropriately, by chance do you have an answer to this question?

Neally · 2021-04-22T17:53:01.000Z

spiceuser-a5t7l:

Hello Neally,
Appreciate the correction, in my rush to get closure on this hurdle of mine, I posted it without thinking. The post has been edited appropriately, by chance do you have an answer to this question?

Welcome. this is a free and volunteer based forum so there is no ‘immediate’ answer unless someone, well, provides one, so you have to be patient.

how about like so

$users = "Cert1" , "Cert2" , "Cert3"
foreach($cert in (Get-ChildItem Cert:\CurrentUser\My)){
   if($cert.Subject -notmatch "$($users -join "|")"){
       remove-item "Cert:\CurrentUser\My\$($cert.thumbprint)" -verbose 
   }
}

spiceuser-a5t7l · 2021-04-23T12:03:22.000Z

Hello again Sir,
First off, thank you, sincerely you really nailed it. I just need to wrap it into a nice batch file for my shop and my H/R users to employ. I previously was utilizing this line of code:

powershell.exe -Command "Get-ChildItem Cert:\CurrentUser\My | Remove-Item"

which essentially nuked all the certificates, in a neat batch file. Utilizing your code, I replace “Get-ChildItem Cert:\CurrentUser\My | Remove-Item” with your code, however it did not go as I had thought it did. I am more than likely going about this the wrong however uncertain as to what I need to do in order to remedy it. I know the first part of my batch opens PowerShell, the second part tells PowerShell to run the command within the quotation marks. Again, blindly stabbing in the dark, I believe there is a translation conflict between my batch file and the script you provided. Do you know how I can modify your great product to work in my batch file Sir?

Neally · 2021-04-23T13:21:24.000Z

why batch file?

just call the powershell script from batch, if you need to do that.

Powershell.exe -executionpolicy bypass -File  "C:\scripts\remove-Certs.ps1"

spiceuser-a5t7l · 2021-04-23T14:44:42.000Z

Hello again Sir,
Honestly the thought process behind going towards a singular batch file was ease of setup for either the deployment admin or individual end-user. Providing a step-by-step coloring book guide to those target audiences, as a fire and forget solution. I could even cater it to my customer base and pre-build their batch files for them by inputting into the command line their respective digital certificates, emailing it to them, and simply instructing them to save the file to X folder locale, then copy a shortcut to their desktops, double-click when needed, rinse and repeat. I was able to meet the intended end-state however, in that once setup, the end-user can delete all other user’s digital certificates from their store. Long story short, my H/R folks, as well as subordinate desktop support techs acquire a lot of digital signatures overtime for their respective customers. Using these actions, which again I cannot thank you enough, they can now expunge them without going through the eight or nine step process to clear those certificates manually. While I am aware there are faster methods, various GPOs prevent standard users from accessing some of those resources, ergo this spurned my thought process to run down a singular batch file; that, and I cannot seem to make a .ps1 file type executable through double-clicking the file.

Neally · 2021-04-23T14:56:28.000Z

spiceuser-a5t7l:

I cannot seem to make a .ps1 file type executable through double-clicking the file

That’s by design. You right click it and click on ‘Run With PowerShell’

You can put the file in a central location that everyone can access and just create a shortcut that will launch it.

2021-04-23_9-55-17.png800×417 70.3 KB

You really want to get away from using batchfiles to run powershell.

2021-04-23_9-55-17.png934×487 31.8 KB