You need to ensure that you can manage the certificates…

Your network contains an Active Directory domain named contoso.com. The domain contains a server named
Server1 that runs Windows Server 2012 R2. Server1 is an enterprise root certification authority (CA) for
contoso.com.
Your user account is assigned the certificate manager role and the auditor role on the contoso.com CA. Your
account is a member of the local Administrators group on Server1.
You enable CA role separation on Server1.
You need to ensure that you can manage the certificates on the CA.
What should you do?

Your network contains an Active Directory domain named contoso.com. The domain contains a server named
Server1 that runs Windows Server 2012 R2. Server1 is an enterprise root certification authority (CA) for
contoso.com.
Your user account is assigned the certificate manager role and the auditor role on the contoso.com CA. Your
account is a member of the local Administrators group on Server1.
You enable CA role separation on Server1.
You need to ensure that you can manage the certificates on the CA.
What should you do?

A.
Remove your user account from the local Administrators group.

B.
Assign the CA administrator role to your user account.

C.
Assign your user account the Bypass traverse checking user right.

D.
Remove your user account from the Manage auditing and security log user right.

Show Hint

Leave a Reply 3

Your email address will not be published. Required fields are marked *

pikapoka

pikapoka

I believe that the provided answer is correct.
All CA roles are assigned and modified by members of local Administrators, Enterprise Admins, or Domain Admins. On enterprise CAs, local administrators, enterprise administrators, and domain administrators are CA administrators by default.

In order to manage the certificates on the CA, the CA administrator role must be assigned. If we remove local administrator (A), we are also removing CA administrotor role.

Role separation only allows a user to be assigned a single role. If a user is assigned to more than one role and attempts to perform an operation on the CA, the operation is denied. For this reason, before role separation is enabled, a user should be assigned only one CA role.

If we remove user account from the Manage auditing and security log user right (D) we meet this requirement, and we can manage the certificates on the CA.
https://technet.microsoft.com/en-us/library/cc732590.aspx

Am I understanding this correctlly?

Reply

justbecause

justbecause

you are correct

Reply

Aamir

Aamir

Yes Right, D

The separation of CA roles can be enforced using role separation. Once enforced, role
separation only allows a user to be assigned a single role. If a user is assigned to more
than one role and attempts to perform an operation on the CA, the operation is denied. For
this reason, before role separation is enabled, a user should be assigned only one CA role.

Reply