We currently have auto-enrolment rights for an Exchange User cert granted to Domain Users. In our environment this is generating more than 50,000 failed requests each week by service accounts which don't have an email address.
I would like to create a security group of users with an email address, and grant enrolment rights on the CA to that group.
I have tried the following script to create such a group, however it's way too slow to be of any use (ours is a large enterprise):
Any ideas on a way to bulk add users with an email address to a group? Or another way to achieve the same result?add-module activedirectory
Get-ADGroup -filter {name -eq "SMime Users"} | ForEach-Object {dsget group -members $_.distinguishedname | dsmod group $_.distinguishedname -rmmbr}
Get-ADUser -filter {emailaddress -like "*"} | ForEach-Object {Add-ADGroupMember "SMime Users" -Members $_.SamAccountName}