Q: How can I make sure that a given Windows account is assigned only a single Certification Authority (CA) management role?

A:To ensure that a Windows account is assigned only a single CA management role-for example, either the CA administrator or certificate manager role-youmust enable role separation on your Windows CA. When role separation is enabled, the Windows CA automatically blocks a user that is assignedtwo different CA management roles from performing any CA management-related tasks.

If you have local administrator rights on the CA server, you can enable role separation by entering the following certutil command and then restartingActive Directory Certificate Services (AD CS):

certutil -setreg CARoleSeparationEnabled 1

Similarly, to disable role separation, a local administrator on the CA server can enter

certutil -delreg CARoleSeparationEnabled

CA role separation is a feature that's available only in the Enterprise and Datacenter editions of Windows Server 2003 and Windows Server 2008. Also,CA role separation supports the separation of roles only based on the four CA management roles that are defined in the Common Criteria CertificateIssuing and Management Components (CIMC) Security Level 4 standard. It doesn't support separation of roles as defined in lower CIMC levels.

For example, some organizations might want to enforce role separation only for the CA administrator and certificate manager roles (as defined in theCIMC Levels 1 and 2), and not for the auditor and backup operator roles. If you don't want role separation for all four roles, you should leave roleseparation disabled, which is the default, and instead call on the CA-specific auditing settings on the CA object for keeping track of user accounts'CA management activities, as explained in the Microsoft article "Configure CA Event Auditing."