This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 57.99999999999999%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
This article indicates that if you have the CA\AuditFilter property set t the max value (127) an event log entry would be triggered when we turn Role Separation on or off. The event ID should be 801:
https://www.serverbrain.org/certificate-security-2003/enabling-auditing-at-the-ca.html
This is not occurring for us, and we're not seeing any other event log entries related to the change.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Mike Bruno ,
Good day!
I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this case, please let me know.
Best Regards,
Daisy Zhou
Hello, @Mike Bruno ,
Thank you for posting here.
Based on my test in lab, we need to configure two audit group policy settings:
1.To audit events, the computer must be configured for auditing certification services. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Object Access\ Audit Certification Services.
2.To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies.
We can enable role separation by entering the following certutil command and then restarting Active Directory Certificate Services (AD CS):
certutil -setreg CA\RoleSeparationEnabled 1
Similarly, to disable role separation, a local administrator on the CA server can enter
certutil -delreg CA\RoleSeparationEnabled
Tip: my CA is Windows server 2019, and the Event ID is **4897 when I turn Role Separation on or off.**
For more information, we can refer to the links below.
Q: How can I make sure that a given Windows account is assigned only a single Certification Authority (CA) management role?
https://www.itprotoday.com/security/q-how-can-i-make-sure-given-windows-account-assigned-only-single-certification-authority-ca
Configure CA Event Auditing
https://video2.skills-academy.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772451(v=ws.10)?redirectedfrom=MSDN
Hope the information above is helpful.
Best Regards,
Daisy Zhou
Thanks, Daisy, for the detailed instructions!
ADCS audit is a two-step process: