Control the Issuance of RDS CALs

Control the Issuance of RDS CALs

Rate This
  • Comments 0

This post is for customers or administrators who want to control which Remote Desktop Session Host (RD Session Host) servers are issued Remote Desktop Services client access licenses (RDS CALs) and which version of RDS CAL is issued to the RD Session Host servers. By default, a Remote Desktop license server issues an RDS CAL (if an appropriate RDS CAL is available) to any RD Session Host server that requests one on behalf of a client that is trying to connect to the RD Session Host server. This post also discusses how to control the auto-discovery of a license server running Windows Server 2008 R2 from terminal servers running Windows Server 2008 or Windows Server 2003.

Control which RD Session Host servers are issued RDS CALs

For security reasons, you might want to specify the RD Session Host servers to which a license server offers RDS CALs. You can apply the License server security group Group Policy setting to a Remote Desktop license server to control which RD Session Host servers are issued RDS CALs by the license server.

  • If you apply this policy setting to a Remote Desktop license server, it responds only to requests for RDS CALs from RD Session Host servers whose computer accounts are members of the Terminal Server Computers group.
    Note: The Terminal Server Computers group is created as a local group on the license server the first time the Remote Desktop Licensing service is started on the license server. By default, the Terminal Server Computers group is empty. If you disable or do not configure the License server security group policy setting, the Terminal Server Computers group is not deleted or changed and the license server issues an RDS CAL (if an appropriate RDS CAL is available) to any RD Session Host server that requests one.
  • You should enable the License server security group policy setting when the license server is a member of a domain so that only you can add computer accounts for RD Session Host servers to the Terminal Server Computers group. The policy setting has no effect if you enable it on a license server that is a member of a workgroup; the license server continues to issue RDS CALs to any RD Session Host server that requests RDS CALs from the license server.

Location of the License server security group policy setting: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Licensing

If the License server security group policy setting is enabled and applied to a license server, it is noted in Review Configuration in the Remote Desktop Licensing Manager tool (Click Start -> Administrative Tools -> Remote Desktop Services -> Remote Desktop Licensing Manager. In the left pane, right-click the server name under the All servers node and select the Review Configuration option).

To verify whether an RD Session Host server is allowed to request RDS CALs from the Remote Desktop license server, you can use the IsSecureAccessAllowed method of Win32_TSLicenseServer class. For more details about this method, click here.

Control which version of RDS CAL is issued to RD Session Host servers

By default, a license server attempts to provide the most appropriate RDS CAL for a connection. For example, a license server running Windows Server 2008 R2 tries to issue a Windows Server 2008 R2 RDS CAL for clients connecting to an RD Session Host server running Windows Server 2008 R2, and a Windows Server 2003 TS CAL for clients connecting to a terminal server running Windows Server 2003.

If the most appropriate RDS CAL is not available, a license server running Windows Server 2008 R2 issues a Windows Server 2008 R2 RDS CAL, if available, to a client connecting to a terminal server running Windows Server 2003 or Windows Server 2000.

You can use the Prevent license upgrade Group Policy setting on the license server so that it issues only a temporary RDS CAL to the client if an appropriate RDS CAL is not available (if the licensing mode of the RD Session Host server is set to Per Device). If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server, unless the RD Licensing grace period for the RD Session Host server has expired.

Note: As the Per User licensing mode is not enforced, the license server will issue the appropriate version of CAL even if the Group Policy setting is not set. You need to have the appropriate number and version of CALs to be compliant with the Microsoft Software License Terms.

Location of the Prevent license upgrade policy setting: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Licensing

To verify whether the Prevent license upgrade Group Policy setting is enabled or not, you can use the IsLSPreventUpgradeGPEnabled method of Win32_TSLicenseServer class. For more details about this method, click here.

Control the auto-discovery of the Remote Desktop license server

In Windows Server 2003 and Windows Server 2008, the terminal servers (now Remote Desktop Session Host servers) were configured to auto-discover the license server by default. If you want to over-ride the license server discovery process, this KB article might help you. In case you want your terminal server to discover the license servers automatically but don’t want your license server running Windows Server 2008 R2 to be discoverable by terminal servers running Windows Server 2008 or Windows Server 2003, here are some tips:

  • If you have installed your license server in a domain scope and don’t want it to be discoverable by down-level terminal servers, install it on a domain-joined machine but not on the domain controller. If you install your license server on the domain controller, all down-level terminal servers will be able to discover that license server.
  • If you have installed your license server in a forest/enterprise scope and don’t want it to be discoverable by down-level terminal servers, un-publish the license server. To un-publish the license server, you can use the UnpublishLS method of the Win32_TSLicenseServer class. For more details about this method, click here.
  • If you don’t want your license server to be discoverable in some other site/domain than the current one, un-publish it from that particular site/domain.
Leave a Comment
  • Please add 4 and 2 and type the answer here:
  • Post