/Event ID 4105 on a Windows 2008 R2 Remote Desktop Services Server

Event ID 4105 on a Windows 2008 R2 Remote Desktop Services Server

We are rolling out a new Windows 2008 R2 server for remote desktop services(formerly terminal services). We decided to use the Per User CAL license model. After I activated the remote desktop services license server, I wanted to make sure the license server is running OK, so I asked my user to log on. I found that no license was given out and there is an event in the logs.

Log Name:      System
Source:        Microsoft-Windows-TerminalServices-Licensing
Date:          1/5/2010 9:46:32 AM
Event ID:      4105
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:     myserver
Description:
The Remote Desktop license server cannot update the license attributes for user "myuser" in the Active Directory Domain "mydomain". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "mydomain".
If the license server is installed on a domain controller, the Network Service account also needs to be a member of the Terminal Server License Servers group.
If the license server is installed on a domain controller, after you have added the appropriate accounts to the Terminal Server License Servers group, you must restart the Remote Desktop Licensing service to track or report the usage of RDS Per User CALs.
Win32 error code: 0x80070005

The description is very lengthy and it even tells you how to fix this problem. However, the server is already a member of the Terminal Server License Servers group, so the solution does not apply.

I found this article with a PowerShell script which fixed my problem. The cause is the user accounts created before the AD Schema changes to accommodate Windows server 2008 do not have the necessary access role for the new license model to work. The original script on the page is broken because of the line break. Here is the edited listing of the script.

# Description: This script will add missing permissions for the Terminal
#Server License Server group to user objects in Active Directory.
# This may solve problems with TS CALs not beeing issued and event id
#4105 being logged at the license server.

# Constants
$URL = "LDAP://DC=mydomain,DC=com";

cls
$root = New-Object DirectoryServices.DirectoryEntry $URL
$ds = New-Object DirectoryServices.DirectorySearcher
$ds.SearchRoot = $root
$ds.filter = "objectCategory=Person"
$src = $ds.findall()
write-host "Found" $src.count "user objects.`n"
$src | %{
$de = $_.getdirectoryentry()
$accessrules = $de.get_objectsecurity().getaccessrules($true, $false,[System.Security.Principal.SecurityIdentifier]) | ?{$_.ObjectType -eq "5805bc62-bdc9-4428-a5e2-856a0f4c185e"}
if ((measure-object -inputobject $accessrules).count -eq 0)
  {
    $ar = new-object System.DirectoryServices.ActiveDirectoryAccessRule([System.Security.Principal.SecurityIdentifier]"S-1-5-32-561", 48, "Allow", [guid]"5805bc62-bdc9-4428-a5e2-856a0f4c185e")
    $de.get_objectsecurity().addaccessrule($ar)
    $de.commitchanges()
    write-host -f yellow ("Added:`t" + $de.properties["sAMAccountName"])
    start-sleep -m 200
  }
else
  {
    write-host -f green ("OK:`t" + $de.properties["sAMAccountName"])
  }
}

Create a new PowerShell script file based upon this and run it with an Domain Admins account. The license server should be working properly after you run this script.

TAGS: