We are in the processing of rolling out 802.1x across the organization. All client computers are Windows XP SP3 and they are being joined to the new Active Directory domain during the network migration. (Existing infrastructure is based on Novell NDS, which is being migrated) A GPO has been created in the AD for the 802.1x parameters and a Thawte Primary root CA for all the Client computers. During the pilot process, we found that in many machines there were already two Thawte Primary root certificates in the Local Machine Trusted Root CA store & one Thawte SSL CA in primary root (which is supposed to be in Intermediate CA) This is causing 802.1x authentication problem as the GPO does not overwrite on these certificates. Once I delete the faulty certs manually & re-apply the GPO, the machines works fine for 802.1x authentication.Now to avoid production problems, we need to mandatorily clean up the machines for the existing thawte certificates and get it applied from GPO, as the machines join the domain. This cant be done manually as we have over 1500 workstations. The following is the command I tried with the response.certmgr -del -c -s root -sha1 91c6d6ee3e8ac86384e548c299295c756c817b81Error: Failed to delete certificatesCertMgr FailedTrying to delete the certificate with the certficate number also produces the same result.Please advice on the way forward.ThanksKarthik Ragavan1 person needs an answerI do too

some infohttp://www.google.co.uk/search?q=remove+root+certificates&rls=com.microsoft:en-gb:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLT_en&redir_esc=&ei=G8DITK-KN8qNjAfUpqA2

Thank you for your response. Tried all of them. I get only the mmc based procedure to remove which works. In my case, we need it to work from script as it has to be implemented for 1500 workstations. Nobody has seem to get it working successfully.

Karthik,This thread should be useful to you - Removing certificates from clients programaticallyHere's the KB article cited in the thread - How to remove a trusted Certificate Authority from computers in the domainIf you need further assistance, here's a list of the TechNet forums for IT Pros -http://social.technet.microsoft.com/Forums/en-us/categories/MowGreen Windows Expert IT Pro - Consumer Security