Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2. Server1 is an
enterprise root certification authority (CA) for contoso.com.
Your user account is assigned the certificate manager role and the auditor role on the
contoso.com CA. Your account is a member of the local Administrators group on Server1.
You enable CA role separation on Server1.
You need to ensure that you can manage the certificates on the CA
What should you do?
A.
Remove your user account from the local Administrators group.
B.
Assign the CA administrator role to your user account.
C.
Assign your user account the Bypass traverse checking user right.
D.
Remove your user account from the Manage auditing and security log user right.
Quote from: https://technet.microsoft.com/en-us/library/cc773161(v=ws.10).aspx
“The separation of CA roles can be enforced using role separation. Once enforced, role separation only allows a user to be assigned a single role. If a user is assigned to more than one role and attempts to perform an operation on the CA, the operation is denied…”
To enable role Separation use certutil:
certutil -setreg CA\RoleSeparationEnabled 1
Disable
certutil -delreg CA\RoleSeparationEnabled
Can someone explain this a bit further? Is local administrator considered the one role the user is allowed in a role separated environment?