I noticed some of my accounts had certificates in their AD User store
that refereed to other user accounts. On closer inspection, the certs
belonged ot the account from which I had cloned these users. After a
quick test, it appears that DRA clones the published certificates (ones
that have not yet expired at least) when you clone a user account! This
surely cannot be desirable? Is this by design?

shocko's Profile: https://forums.netiq.com/member.php?userid=5104
View this thread: https://forums.netiq.com/showthread.php?t=49183