jakehildreth · SamErde · Sep 8, 2025 · Sep 8, 2025 · Sep 8, 2025 · Copilot
diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1
@@ -263,7 +263,12 @@ function Find-ESC1 {
             else {
                 $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
             }
-            if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
+            if (
+                ($SID -notmatch $SafeUsers) -and
-                ($SID -notmatch $SafeUsers) -and
+                ($SID -notmatch $SafeUsers) -and
+                # The ObjectType GUID '0e10c968-78fb-11d2-90d4-00c04f79dc55' represents the "Certificate Enrollment" extended right in Active Directory.
-                ($SID -notmatch $SafeUsers) -and
+                ($SID -notmatch $SafeUsers) -and
+                # The ObjectType GUID '0e10c968-78fb-11d2-90d4-00c04f79dc55' represents the "Certificate Enrollment" extended right in Active Directory.
+                ( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
+                    ( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
+                ($entry.ActiveDirectoryRights -match 'GenericAll') )
+            ) {
                 $Issue = [pscustomobject]@{
                     Forest                = $_.CanonicalName.split('/')[0]
                     Name                  = $_.Name
@@ -4969,7 +4974,7 @@ function Invoke-Locksmith {
         [System.Management.Automation.PSCredential]$Credential
     )
 
-    $Version = '2025.8.25'
+    $Version = '2025.9.8'
     $LogoPart1 = @'
     _       _____  _______ _     _ _______ _______ _____ _______ _     _
     |      |     | |       |____/  |______ |  |  |   |      |    |_____|

diff --git a/Locksmith.psd1 b/Locksmith.psd1
@@ -8,7 +8,7 @@
     FunctionsToExport    = 'Invoke-Locksmith'
     GUID                 = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a'
     HelpInfoURI          = 'https://raw.githubusercontent.com/jakehildreth/Locksmith/main/en-US/'
-    ModuleVersion        = '2025.8.25'
+    ModuleVersion        = '2025.9.8'
     PowerShellVersion    = '5.1'
     PrivateData          = @{
         PSData = @{

diff --git a/Private/Find-ESC1.ps1 b/Private/Find-ESC1.ps1
@@ -56,7 +56,12 @@
             } else {
                 $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
             }
-            if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
+            if (
+                ($SID -notmatch $SafeUsers) -and
-                ($SID -notmatch $SafeUsers) -and
+                ($SID -notmatch $SafeUsers) -and
+                # The ObjectType GUID '0e10c968-78fb-11d2-90d4-00c04f79dc55' represents the "Certificate Enrollment" extended right in Active Directory.
-                ($SID -notmatch $SafeUsers) -and
+                ($SID -notmatch $SafeUsers) -and
+                # The ObjectType GUID '0e10c968-78fb-11d2-90d4-00c04f79dc55' represents the "Certificate Enrollment" extended right in Active Directory.
+                ( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
+                    ( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
+                ($entry.ActiveDirectoryRights -match 'GenericAll') )
+            ) {
                 $Issue = [pscustomobject]@{
                     Forest                = $_.CanonicalName.split('/')[0]
                     Name                  = $_.Name