We are rolling out a new Windows 2008 R2 server for remote desktop services(formerly terminal services). We decided to use the Per User CAL license model. After I activated the remote desktop services license server, I wanted to make sure the license server is running OK, so I asked my user to log on. I found that no license was given out and there is an event in the logs.
Log Name:Â Â Â Â Â System Source:Â Â Â Â Â Â Â Microsoft-Windows-TerminalServices-Licensing Date:Â Â Â Â Â Â Â Â Â 1/5/2010 9:46:32 AM Event ID:Â Â Â Â Â 4105 Task Category: None Level:Â Â Â Â Â Â Â Â Warning Keywords:Â Â Â Â Â Classic User:Â Â Â Â Â Â Â Â Â N/A Computer:Â Â Â Â myserver Description: The Remote Desktop license server cannot update the license attributes for user "myuser" in the Active Directory Domain "mydomain". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "mydomain". If the license server is installed on a domain controller, the Network Service account also needs to be a member of the Terminal Server License Servers group. If the license server is installed on a domain controller, after you have added the appropriate accounts to the Terminal Server License Servers group, you must restart the Remote Desktop Licensing service to track or report the usage of RDS Per User CALs. Win32 error code: 0x80070005
The description is very lengthy and it even tells you how to fix this problem. However, the server is already a member of the Terminal Server License Servers group, so the solution does not apply.
I found this article with a PowerShell script which fixed my problem. The cause is the user accounts created before the AD Schema changes to accommodate Windows server 2008 do not have the necessary access role for the new license model to work. The original script on the page is broken because of the line break. Here is the edited listing of the script.
# Description: This script will add missing permissions for the Terminal #Server License Server group to user objects in Active Directory. # This may solve problems with TS CALs not beeing issued and event id #4105 being logged at the license server. # Constants $URL = "LDAP://DC=mydomain,DC=com"; cls $root = New-Object DirectoryServices.DirectoryEntry $URL $ds = New-Object DirectoryServices.DirectorySearcher $ds.SearchRoot = $root $ds.filter = "objectCategory=Person" $src = $ds.findall() write-host "Found" $src.count "user objects.`n" $src | %{ $de = $_.getdirectoryentry() $accessrules = $de.get_objectsecurity().getaccessrules($true, $false,[System.Security.Principal.SecurityIdentifier]) | ?{$_.ObjectType -eq "5805bc62-bdc9-4428-a5e2-856a0f4c185e"} if ((measure-object -inputobject $accessrules).count -eq 0) { $ar = new-object System.DirectoryServices.ActiveDirectoryAccessRule([System.Security.Principal.SecurityIdentifier]"S-1-5-32-561", 48, "Allow", [guid]"5805bc62-bdc9-4428-a5e2-856a0f4c185e") $de.get_objectsecurity().addaccessrule($ar) $de.commitchanges() write-host -f yellow ("Added:`t" + $de.properties["sAMAccountName"]) start-sleep -m 200 } else { write-host -f green ("OK:`t" + $de.properties["sAMAccountName"]) } }
Create a new PowerShell script file based upon this and run it with an Domain Admins account. The license server should be working properly after you run this script.
This post may contain affiliated links. When you click on the link and purchase a product, we receive a small commision to keep us running. Thanks.
You are awesome
Do I need to run the script on domain controller or on the Terminal server?
I ran it on the Domain Controller.
Although we have this warning but it does not prevent our users log in. The only thing is now I don’t need buy any more CAL 🙂
Will this cause other problem?
I am not sure if this will cause any problems. You can try to create a RDS CAL usage report and see what’s going on.
the report says that there is zero usage.
I think your clients are using a temporary license. Those licenses are going to expire at some point. You need to properly configure your RDS license server. Did you try to run the script?
I have the same problem, but I don’t trust thist script. Can it be dangerous, to run this powershell? I mean, if something goes wrong, the whole domain is broken…
Can something like this happen?
The license server isn’t installed on a domain controller…
I don’t think it would break the whole domain. However, if you are not comfortable with running a script, by all means, do not run it.
We are on a Windows 2003 AD domain. Will this script work?
We are on a Windows 2003 AD domain, too.
I tried running the script but got the error below:
Found 1000 user objects.
OK: Administrator
cmdlet New-Object at command pipeline position 1
Supply values for the following parameters:
TypeName:
Tried putting a name in there but got an error.
any ideas?
Is there a way to do this process manually in the GUI or line by line? I have 2 users out of 10 that get this error. The other 8 are getting assigned per user CALs as intended.
As I have read on the internet, I believe it has to do with when the users were created, and at what state / domain functional level you were at. It is my oldest users (ie existed the longest) that are having the error generated.
Thanks!
I don’t think so.
for some reason, executing this from script failed on FindAll – a referral was returned.. pasting it directly into powershell worked fine..
do you have any clue why is that?
Could be a problem with the line break when you copied the script to a file.
Hello,
i would like to ask here since this is the most relevant. I have this issue but only with one user which is using an “Apple” 🙂 . Else it works fine. I run the script by the way. My DC is 2003, my TS is 2008 R2 . Everything else is in place and i run a report on my RDS License server and it works ok. Only this user on MAC gives me a headache.
Best regards
Catalin
You can ask the Mac user to install the latest Remote Desktop Client and see if it works.
I am running this script, but it seems like it’s not doing anything. It’s been 3 hours at this point, but we do have 804 objects it detected. Is it normal for it to run this long?
It only takes a couple of seconds to run. I think something is not right.
I have a few thousand users, but it only modified 1000. Powershell defaults to only returning the frist 1000 hits on a search.
Can someone tell me how to modify this script to either ignore the limit, or to change it to something like 5000?
Thanks!
For anyone else looking to increase the returned results, I figured it out:
Just add:
$ds.PageSize = “1000”
right after line 11
(looks like this):
$ds = New-Object DirectoryServices.DirectorySearcher