The post-installation script enables all auditing events for Certificate Services. These auditing events depend on enabling success and failure auditing for Object Access. Because the enterprise root CA is a member of a domain, you should define auditing settings in a GPO applied to the OU where the CA's computer account resides. Use the following procedure to define the GPO at a domain controller in the domain where the enterprise root CA's computer account resides:
1. From Administrative Tools, open Active Directory Users and Computers.
2. In the console tree, expand the OU structure, right-click the OU where the CA's computer account exists, and click Properties.
Note If the computer account exists in the Computers container, the Group Policy definition must take place at the domain, or the computer account must be moved to an OU.
3. In the OU Properties dialog box, on the Group Policy tab, click New.
4. Name the new Group Policy CA Audit Settings and click Edit.
5. In the console tree, navigate to the following container: Computer Settings \Windows Settings\Security Settings\Local Policies\Audit Policy and enable the following auditing settings based on the Windows Server 2003 Security Guide (http://go.micmsoft.com/fwlmk/?LmMd=14846):
■ Account Logon: Success, Failure
■ Account Management: Success, Failure
■ Directory Service Access: Failure
■ Logon Events: Success, Failure
■ Object Access: Success, Failure
■ Policy Change: Success, Failure
■ Privilege Use: Failure
■ Process Tracking: No auditing
■ System Events: Success, Failure
6. Close the Group Policy Editor.
7. In the OU Properties dialog box, click OK.
8. Close Active Directory Users and Computers.
Note If you have an existing GPO that enables these recommended audit ing settings, you can link to it rather than define another GPO with the same settings.
Was this article helpful?