Event ID 4105 on a Windows 2008 R2 Remote Desktop Services Server

We are rolling out a new Windows 2008 R2 server for remote desktop services(formerly terminal services). We decided to use the Per User CAL license model. After I activated the remote desktop services license server, I wanted to make sure the license server is running OK, so I asked my user to log on. I found that no license was given out and there is an event in the logs.

Log Name:      System
Source:        Microsoft-Windows-TerminalServices-Licensing
Date:          1/5/2010 9:46:32 AM
Event ID:      4105
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:     myserver
Description:
The Remote Desktop license server cannot update the license attributes for user "myuser" in the Active Directory Domain "mydomain". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "mydomain".
If the license server is installed on a domain controller, the Network Service account also needs to be a member of the Terminal Server License Servers group.
If the license server is installed on a domain controller, after you have added the appropriate accounts to the Terminal Server License Servers group, you must restart the Remote Desktop Licensing service to track or report the usage of RDS Per User CALs.
Win32 error code: 0x80070005

The description is very lengthy and it even tells you how to fix this problem. However, the server is already a member of the Terminal Server License Servers group, so the solution does not apply.

I found this article with a PowerShell script which fixed my problem. The cause is the user accounts created before the AD Schema changes to accommodate Windows server 2008 do not have the necessary access role for the new license model to work. The original script on the page is broken because of the line break. Here is the edited listing of the script.

# Description: This script will add missing permissions for the Terminal
#Server License Server group to user objects in Active Directory.
# This may solve problems with TS CALs not beeing issued and event id
#4105 being logged at the license server.

# Constants
$URL = "LDAP://DC=mydomain,DC=com";

cls
$root = New-Object DirectoryServices.DirectoryEntry $URL
$ds = New-Object DirectoryServices.DirectorySearcher
$ds.SearchRoot = $root
$ds.filter = "objectCategory=Person"
$src = $ds.findall()
write-host "Found" $src.count "user objects.`n"
$src | %{
$de = $_.getdirectoryentry()
$accessrules = $de.get_objectsecurity().getaccessrules($true, $false,[System.Security.Principal.SecurityIdentifier]) | ?{$_.ObjectType -eq "5805bc62-bdc9-4428-a5e2-856a0f4c185e"}
if ((measure-object -inputobject $accessrules).count -eq 0)
  {
    $ar = new-object System.DirectoryServices.ActiveDirectoryAccessRule([System.Security.Principal.SecurityIdentifier]"S-1-5-32-561", 48, "Allow", [guid]"5805bc62-bdc9-4428-a5e2-856a0f4c185e")
    $de.get_objectsecurity().addaccessrule($ar)
    $de.commitchanges()
    write-host -f yellow ("Added:`t" + $de.properties["sAMAccountName"])
    start-sleep -m 200
  }
else
  {
    write-host -f green ("OK:`t" + $de.properties["sAMAccountName"])
  }
}

Create a new PowerShell script file based upon this and run it with an Domain Admins account. The license server should be working properly after you run this script.


This post may contain affiliated links. When you click on the link and purchase a product, we receive a small commision to keep us running. Thanks.


22 Comments

  1. Although we have this warning but it does not prevent our users log in. The only thing is now I don’t need buy any more CAL 🙂

    Will this cause other problem?

  2. I am not sure if this will cause any problems. You can try to create a RDS CAL usage report and see what’s going on.

  3. I think your clients are using a temporary license. Those licenses are going to expire at some point. You need to properly configure your RDS license server. Did you try to run the script?

  4. I have the same problem, but I don’t trust thist script. Can it be dangerous, to run this powershell? I mean, if something goes wrong, the whole domain is broken…
    Can something like this happen?
    The license server isn’t installed on a domain controller…

    • I don’t think it would break the whole domain. However, if you are not comfortable with running a script, by all means, do not run it.

  5. I tried running the script but got the error below:

    Found 1000 user objects.

    OK: Administrator

    cmdlet New-Object at command pipeline position 1
    Supply values for the following parameters:
    TypeName:

    Tried putting a name in there but got an error.
    any ideas?

  6. Is there a way to do this process manually in the GUI or line by line? I have 2 users out of 10 that get this error. The other 8 are getting assigned per user CALs as intended.

    As I have read on the internet, I believe it has to do with when the users were created, and at what state / domain functional level you were at. It is my oldest users (ie existed the longest) that are having the error generated.

    Thanks!

  7. for some reason, executing this from script failed on FindAll – a referral was returned.. pasting it directly into powershell worked fine..

    do you have any clue why is that?

  8. Hello,

    i would like to ask here since this is the most relevant. I have this issue but only with one user which is using an “Apple” 🙂 . Else it works fine. I run the script by the way. My DC is 2003, my TS is 2008 R2 . Everything else is in place and i run a report on my RDS License server and it works ok. Only this user on MAC gives me a headache.

    Best regards
    Catalin

  9. I am running this script, but it seems like it’s not doing anything. It’s been 3 hours at this point, but we do have 804 objects it detected. Is it normal for it to run this long?

  10. I have a few thousand users, but it only modified 1000. Powershell defaults to only returning the frist 1000 hits on a search.

    Can someone tell me how to modify this script to either ignore the limit, or to change it to something like 5000?

    Thanks!

    • For anyone else looking to increase the returned results, I figured it out:

      Just add:
      $ds.PageSize = “1000”

      right after line 11
      (looks like this):
      $ds = New-Object DirectoryServices.DirectorySearcher

Leave a Reply