Hello all,
I was looking at all the writes to the AD from MSMQ and am finding 70,000 of these per day! (if you have Splunk, it's worth while checking our if you have the same issue: 
index=<YOUR INDEX> earliest=-1d  EventCode=5136 (LDAPDisplayName=mSMQDigests OR LDAPDisplayName=mSMQSignCertificates)
I found this potential issue that can happen as these certificates clog up the user's AD object - https://blogs.msdn.microsoft.com/johnbreakwell/2008/09/15/clearing-up-msmq-certificates-from-active-directory/
Does anyone know whether it is necessary for MSMQ to publish these certificates to the user's object? Is there a group policy to prevent this from happening?
PS: If you have Splunk, it is definitely enlightening to run this query to see who is making how many changes to your system:
index=<YOUR INDEX> earliest=-1d  EventCode=5136 | stats count by Account_Name
You will be amazed at the number of apps making unnecessary changes to your directory constantly!