A: To ensure that a Windows account is assigned only a single CA management role-for example, either the CA administrator or certificate manager role-you must enable role separation on your Windows CA. When role separation is enabled, the Windows CA automatically blocks a user that is assigned two different CA management roles from performing any CA management-related tasks.

If you have local administrator rights on the CA server, you can enable role separation by entering the following certutil command and then restarting Active Directory Certificate Services (AD CS):

certutil -setreg CA\RoleSeparationEnabled 1

Similarly, to disable role separation, a local administrator on the CA server can enter

certutil -delreg CA\RoleSeparationEnabled

CA role separation is a feature that's available only in the Enterprise and Datacenter editions of Windows Server 2003 and Windows Server 2008. Also, CA role separation supports the separation of roles only based on the four CA management roles that are defined in the Common Criteria Certificate Issuing and Management Components (CIMC) Security Level 4 standard. It doesn't support separation of roles as defined in lower CIMC levels.

For example, some organizations might want to enforce role separation only for the CA administrator and certificate manager roles (as defined in the CIMC Levels 1 and 2), and not for the auditor and backup operator roles. If you don't want role separation for all four roles, you should leave role separation disabled, which is the default, and instead call on the CA-specific auditing settings on the CA object for keeping track of user accounts' CA management activities, as explained in the Microsoft article "Configure CA Event Auditing."