Terminal license troubles

Heya!

Today I will tell you about issue I discovered recently with terminal license server. It was windows 2012R2 with 100 per user licenses installed. I configured license usage report for it which was described here. For about 1 year it was showing usage of about 10 from 100 licenses. That was confusing so I started investigation. First I checked license usage report from RD Licensing Manager and noticed there:

Failed Per User License Issuance Detail

User,CAL Version,CAL Type,Tried Issuance On

ddc.com\m_okla,Windows Server 2012,RDS Per User CAL,”den 7 april 2017 14:00:10″

ddc.com\m_dvbl,Windows Server 2012,RDS Per User CAL,”den 7 april 2017 14:00:20″

ddc.com\m_lpdn,Windows Server 2012,RDS Per User CAL,”den 7 april 2017 16:06:33″

ddc.com\m_opda,Windows Server 2012,RDS Per User CAL,”den 10 april 2017 09:44:58″

ddc.com\d_elam,Windows Server 2012,RDS Per User CAL,”den 10 april 2017 09:48:33″

Failed Per User License Issuance Summary

DomainName,FailedPerUserLicenseIssuanceCount

ddc.com,5

First I checked logs on server and there were no any recent events regarding terminal licenses. So I asked a question on MS support forums and got reply to search for event 4105 in windows application log.

I searched and found a lot of such events. So this issue is about permissions for RD License server on user accounts in AD. You can check this permissions on security tab of user account in AD, but before you need to enable “Advanced Features” in AD Users and Computers

Untitled

In our case “Terminal Server License Servers” group was added as Allow entry in users ACL, but did not had any permissions on user account at all.

Untitled

It should be “Read/Write Terminal Server license server”

First I was planning to write some script to update permissions for each user object, but then I found this article from MS. It is not stated there that it applies for windows 2012 and windows 2012R2, but it does 🙂

I used both methods from scenario #2 and each of them worked.

1 warning here. Permissions for “Terminal Server License Servers” group will not be updates, new ACL entry will be added for each user object instead. So keep it in mind when checking results, just look at all ACL entries to make sure it worked.

After correct permissions were applied license usage increased twice during 1 day only!

 

Advertisements