if an Certificate Template has enabled Publish certificate in Active directory it will publish the certificate in an attribute on the user object. This usally is not requiered to do and it might cause some problems.

To find what account that has certificate published to their user object run following oneliner.

 get-aduser -filter * -property usercertificate | select name, distinguishedname, @{name='CertCount';expression={$_.usercertificate.count}} | where {$_.CertCount -ge '1'}| sort -Property CertCount