[Today’s post comes to us courtesy of Mark Stanfill]

We get a fair number of queries about CAL enforcement in Essential Business Server (EBS) support, so I’d like to try to clear up some of the common questions that our partners have.  Because EBS enforces client licensing in a fairly strict manner, it is important to understand the repercussions of being out of compliance in order to ensure that your clients are able to successfully connect to the network.

How to Properly License Clients

Assigning CALs to users is a simple process:

  1. Activate the server.  Do this from Control Panel\System as you would for any Windows Server.
  2. Install the CAL Packs using the EBS Administration Console.
    1. Open the EBS Administration Console and select the Licenses tab.
    2. Select Install CAL packs from the License Management Tasks.
    3. Follow the prompts, and enter the CAL Pack product keys when prompted
  3. Assign the CALs to users or devices using the EBS Administration Console.
    1. For existing users, open the EBS Administration Console and select the Users and Groups tab.
    2. Select the user and double-click or choose Change user account properties.
    3. Select the CAL tab and assign the appropriate CAL (Standard or Enterprise).
    4. Click OK to exit.

CALs must be assigned to users.  Installation does not automatically assign a CAL to any users.  This task is covered in the Guided Configuration and Migration Tasks during setup as well.

Assigning CALs to users

Enforcement Model

EBS does not enforce any licensing restrictions for the first 30 days after Management Server is installed.  You can verify that you are in this state by looking in Event Viewer on Management Server under Applications and Service Logs\Microsoft\Windows\Server Infrastructure Licensing\Operational.  The presence of Event 39 in this log indicates that the server is in the initial grace period:

Licensing compliance for the Domain Controller Check is not enforced until 30 days after the server has been installed.

After 30 days, enforcement will begin.  Any client that is not assigned a CAL at this point will only be authorized to log in to servers or to workstations that have been assigned CALs.  The licensing service enforces this restriction by modifying the user’s Logon Workstation’s setting in AD.  Any changes made to this key will automatically be reverted by the licensing service.

image

If a CAL has not been assigned to a user, they will be presented with the following error when attempting to log on to their workstation:

Your account is configured to prevent you from using this computer.  Please try another computer.

Windows 7 - Your account is configured to prevent you from using this computer. Please try another computer.

Vista - Your account is configured to prevent you from using this computer. Please try another computer.

XP - Your account is configured to prevent you from using this computer. Please try another computer.

User CALs vs Device CALs

Previous licensing models had the concept of user CALs versus device CALs.  In EBS 2008, all CALs are “Universal CALs” and may be assigned to either a user or a computer as needed.

When you assign a User CALs to a specific individual, that person can use any PC or network device to access a Windows Essential Business Server 2008 server or other Windows server in the domain. When you assign a Device CAL to a specific device, then any number of individuals (but only one at a time) can use that device to access a Windows Essential Business Server 2008 server or other Windows server.

In most cases, assigning CALs to users is preferred. Assigning CALs to devices typically is used in very limited scenarios:

· Shared machines between shift workers

· Kiosk machines

· Machines shared between workers who don’t require concurrent access (for example, point of sale devices, computers used to check email in a warehouse, or computers only used to do a specialized function, such as scanning or machine automation)

 

Automating Assigning CALs

 

 

The BulkAssignCALs.ps1 PowerShell script will attempt to assign installed CALs to users in the domain.  It is important to audit the accounts afterwards to make sure that test accounts, users who have left the company, etc. are not consuming CALs.  This script is available here.

To run this script, do the following:

  1. On the Management Server, right-click the icon for Windows PowerShell and choose “Run as administrator”
  2. Save the file locally to disk, right-click on it, choose properties, and click on the Unblock button
  3. In the PowerShell command prompt, execute the script by navigating to where you saved the file and typing .\bulkassignCALs.ps1 standard (for standard CALs; substitute premium as appropriate)
  4. Open the EBS Administration Console, navigate to the Licenses tab, select User Licenses,  and review the results.  Ensure that users have the correct edition.

image

image