If this setting is enabled, you cannot perform any CA actions if you have both ManageCA and ManageCertificates permissions. Only CA admins can modify the setting.
We need it for the ESC7 implementation, as some attack narratives require both ManageCA and ManageCertificates and could therefore be blocked by this setting.
Description
Collection of enterpriseCA setting RoleSeparationEnabled
Ticket: BED-4351
Depends on this PR for commonlib: https://github.com/BloodHoundAD/SharpHoundCommon/pull/120
Motivation and Context
If this setting is enabled, you cannot perform any CA actions if you have both ManageCA and ManageCertificates permissions. Only CA admins can modify the setting.
We need it for the ESC7 implementation, as some attack narratives require both ManageCA and ManageCertificates and could therefore be blocked by this setting.
More info on the setting: Q: How can I make sure that a given Windows account is assigned only
How Has This Been Tested?
Collection in my lab: 20240426013313_BloodHound.zip
Screenshots (if appropriate):
Types of changes
Checklist: