jeudi 23 février 2012 10:34
Even id 4870 (windows 2008 R2) Certificate Authority Server is generated when a certificate is revoked.
The only information it carries is which certificate was revoked. It does not tells WHO revoked the certificate.
Is there a way or any other event which can help in finding out who revoked the certificates?
Auditing is already enabled.
Toutes les réponses
lundi 27 février 2012 10:32
Unfortunately Windows does not report who revoked the certificate, just that it happened.
lundi 27 février 2012 11:51
if you have Auditing enabled (on the Auditing tab of the AD CS properties), and you have the Certification Services audit subcategory enabled (see AUDITPOL or Advanced Audit Policy Configuration in GPO) or just the whole Object Access category - you will see the revocation events in the Security event log. And these log entries record the user identity who did the revocation.
- Marqué comme réponse Bruce-LiuModerator jeudi 1 mars 2012 09:30