ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Certificate Authority management console displaying security events and PKI template configurations
Event ID 4885InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4885 – Security: Certificate Services Template Security Permissions Changed

Event ID 4885 fires when security permissions on a Certificate Authority template are modified, indicating changes to who can request or manage specific certificate types.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4885Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 4885 represents a security audit event that tracks modifications to Certificate Authority template permissions within Active Directory Certificate Services environments. This event generates automatically when the security descriptor of a certificate template object is modified in the Active Directory Configuration partition.

The event occurs when administrators use tools like the Certificate Templates MMC snap-in, PowerShell PKI cmdlets, or direct LDAP operations to change who can enroll for certificates, read template properties, or manage template configurations. Each permission change triggers a separate 4885 event, providing granular tracking of template security modifications.

Certificate templates define the rules and settings for certificate enrollment, including cryptographic parameters, validity periods, and most importantly, which users or computers can request certificates based on that template. When template permissions change, it directly impacts certificate enrollment capabilities across the enterprise, making this event critical for PKI security monitoring.

The event data includes the template name, the security principal making the change, the type of permission modification, and timestamp information. This data enables security teams to track template permission changes, investigate unauthorized modifications, and maintain compliance with PKI security policies in enterprise environments.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • Administrator modifying certificate template permissions through Certificate Templates console
  • PowerShell scripts using PKI cmdlets to update template access control lists
  • Direct LDAP modifications to certificate template objects in Active Directory
  • Group Policy changes affecting certificate template permissions
  • Automated PKI management tools updating template security descriptors
  • Migration or synchronization processes modifying template permissions
  • Security principal changes requiring template permission updates
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the Event ID 4885 to understand what template permissions were modified and by whom.

  1. Open Event Viewer on your Certificate Authority or domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4885 using the filter option
  4. Double-click the event to view detailed information including:
    • Template name that was modified
    • Security principal who made the change
    • Type of permission change
    • Timestamp of the modification
  5. Note the Subject field showing who made the change and the Template Name field

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4885} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
02

Verify Current Template Permissions

Check the current permissions on the affected certificate template to understand the impact of the changes.

  1. Open Certificate Authority console on your CA server
  2. Right-click the CA name and select Certificate Templates to Issue
  3. Open Certificate Templates console (certtmpl.msc)
  4. Right-click the affected template and select Properties
  5. Click the Security tab to review current permissions
  6. Document who has Read, Enroll, and Full Control permissions

Use PowerShell to audit template permissions programmatically:

Import-Module PSPKI
Get-CertificateTemplate | Where-Object {$_.Name -eq "TemplateName"} | Get-CertificateTemplateAcl | Format-Table Principal, AccessMask, AceType -AutoSize
Pro tip: Compare current permissions with your PKI security baseline to identify unauthorized changes.
03

Correlate with Administrative Actions

Cross-reference Event ID 4885 with other security events to build a complete picture of the administrative session.

  1. Search for related events in the same timeframe:
    • Event ID 4624 (Logon) for the user who made changes
    • Event ID 4634 (Logoff) to see session duration
    • Event ID 4648 (Explicit credential use) if alternate credentials were used
  2. Use PowerShell to correlate events by user and timeframe:
$StartTime = (Get-Date).AddHours(-2)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$StartTime} | Where-Object {$_.Id -in @(4624,4634,4648,4885)}
$Events | Sort-Object TimeCreated | Format-Table TimeCreated, Id, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='Details';Expression={$_.Message.Split("`n")[0]}}
  1. Check Certificate Services operational logs for additional context:
Get-WinEvent -LogName "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" -MaxEvents 20
04

Implement Template Permission Monitoring

Set up proactive monitoring to track future certificate template permission changes and detect unauthorized modifications.

  1. Create a PowerShell script to monitor Event ID 4885:
# Save as Monitor-TemplatePermissions.ps1
$Query = @"

  
    
  

"@

Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode = 4885" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    Write-Host "Template permission change detected: $($Event.Message)" -ForegroundColor Yellow
    # Add email notification or logging here
}
  1. Configure Windows Event Forwarding to centralize template permission events
  2. Set up custom event log views in Event Viewer for quick access
  3. Create scheduled tasks to export and archive template permission changes
Warning: Ensure monitoring scripts have appropriate permissions to access Security logs and don't create performance issues.
05

Restore Template Permissions from Backup

If unauthorized template permission changes are detected, restore proper permissions from backup or known-good configurations.

  1. Export current template permissions for comparison:
Import-Module PSPKI
$Template = Get-CertificateTemplate -Name "YourTemplateName"
$CurrentACL = Get-CertificateTemplateAcl -Template $Template
$CurrentACL | Export-Csv -Path "C:\Temp\CurrentTemplateACL.csv" -NoTypeInformation
  1. If you have a known-good permission backup, restore it:
# Restore from previously exported ACL
$BackupACL = Import-Csv -Path "C:\Backup\TemplateACL-Baseline.csv"
foreach ($ACE in $BackupACL) {
    Set-CertificateTemplateAcl -Template $Template -Principal $ACE.Principal -AccessMask $ACE.AccessMask -AceType $ACE.AceType
}
  1. Manually restore permissions through Certificate Templates console:
    • Open Certificate Templates console
    • Right-click affected template → PropertiesSecurity
    • Remove unauthorized entries and restore proper permissions
    • Apply changes and verify in Event Viewer
  2. Document the incident and update change management procedures

Overview

Event ID 4885 generates when an administrator or authorized user modifies security permissions on a Certificate Authority (CA) template within Active Directory Certificate Services (ADCS). This event fires specifically when template access control lists (ACLs) are changed, affecting who can enroll for certificates, read template properties, or perform administrative functions on certificate templates.

This security audit event appears in the Security log on domain controllers and Certificate Authority servers when template permissions are altered through the Certificate Templates console, PowerShell cmdlets, or direct LDAP modifications. The event captures critical details including the modified template name, the security principal making the change, and the specific permissions that were modified.

Understanding this event is crucial for PKI security monitoring, as certificate template permissions directly control certificate enrollment capabilities across your Active Directory environment. Unauthorized changes to template permissions can lead to certificate abuse, privilege escalation, or compliance violations in enterprise PKI deployments.

Frequently Asked Questions

What does Event ID 4885 mean and when does it occur?+
Event ID 4885 indicates that security permissions on a Certificate Authority template have been modified. It occurs whenever an administrator or authorized user changes the access control list (ACL) of a certificate template through the Certificate Templates console, PowerShell PKI cmdlets, or direct LDAP operations. Each permission change generates a separate 4885 event, providing detailed tracking of who can enroll for certificates based on specific templates.
How can I determine which specific template permissions were changed in Event ID 4885?+
The Event ID 4885 details include the template name, the security principal making the change, and the type of permission modification. You can view these details in Event Viewer by double-clicking the event, or use PowerShell to extract specific information: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4885} | Select-Object TimeCreated, @{Name='Template';Expression={$_.Properties[4].Value}}, @{Name='User';Expression={$_.Properties[1].Value}}. Cross-reference with current template permissions using the Certificate Templates console to understand the impact.
Is Event ID 4885 a security concern that requires immediate attention?+
Event ID 4885 itself is informational and indicates normal administrative activity when authorized personnel modify template permissions. However, it becomes a security concern if: unauthorized users are making changes, permissions are being granted to inappropriate groups, or changes occur outside of approved change windows. Monitor these events closely in high-security environments and correlate with your change management processes to identify unauthorized PKI modifications.
How can I prevent unauthorized certificate template permission changes?+
Implement several security measures: restrict administrative access to certificate templates using role-based permissions, enable detailed security auditing on Certificate Authority servers, implement change management processes for PKI modifications, use PowerShell Desired State Configuration (DSC) to maintain template permission baselines, and set up real-time monitoring for Event ID 4885. Additionally, regularly review template permissions and document approved configurations for comparison.
Can Event ID 4885 help with PKI compliance and auditing requirements?+
Yes, Event ID 4885 is crucial for PKI compliance auditing as it provides detailed tracking of certificate template permission changes. The event data includes timestamps, user accounts, and specific template modifications, which satisfy audit trail requirements for standards like SOX, HIPAA, and PCI DSS. Export these events regularly for compliance reporting, correlate with change management records, and maintain historical logs to demonstrate proper PKI governance and security controls.
Documentation

References (2)

1
Microsoft Learn - Certificate TemplatesOfficial Microsoft documentation on configuring and managing certificate templates in Active Directory Certificate Services.https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-server-certificate-template
2
Windows Security Auditing EventsComprehensive guide to Windows security auditing events and advanced audit policy configuration for enterprise environments.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4885#certificate-services#pki-security

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...