We have a Windows 2003 domain and have just set up some new terminal servers using a Windows 2008 terminal server licensing manager server in the domain (per user licensing). This license server is not a DC.
The problem was that most users would not be assigned licenses from the license server and the event viewer on the licensing manager server said the following:
"The Terminal Services license server cannot update the license attributes for user "XXX" in the Active Directory Domain "mydomain.intern". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "mydomain.intern".
If the license server is installed on a domain controller, the Network Service account also needs to be a member of the Terminal Server License Servers group.
If the license server is installed on a domain controller, after you have added the appropriate accounts to the Terminal Server License Servers group, you must restart the Terminal Services Licensing service to track or report the usage of TS Per User CALs."
Well, sure enough the server in question was not member of the "Terminal Server License Servers" group at first but was later added. Then we restarted both the terminal servers and licensing servers but the problem remained.
A little further investigation showed that this problem occured for apx 2/3 of our users. Checking users permissions with powershell:
get-user jdoe |get-adpermission -user s-1-5-32-561 |fl
User : S-1-5-32-561
Identity : mydomain.intern/Users/John Doe
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {Terminal-Server}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
revealed that the group "Terminal Server License Servers" is present with some special permissions on the accounts who works. Checking an account that does not work did not list this permission. By the way S-1-5-32-561 refers to the "well known SID" for the group we're looking for:
SID: S-1-5-32-561
Name: BUILTIN\Terminal Server License Servers
Description: An alias. A group for Terminal Server License Servers.
My first thought was that it was inheritance related, but the users OU showed no trace of the "Terminal Server Licensing Servers"-group and looking at the output above clearly says "inheritancetype: none". Interestingly enough all newly created users gets the correct permissions which indicates that the permissions comes as a part of default settings from the AD-Schema. When checking the schema I saw that the "Terminal Server Licensing Servers"-group indeed is present with some kind of permissions on the users object, but the AD Schema MMC-snapin doesnt seem to be able to list which particular permissions this is.
Anyway - at one point a job must have been triggered that tried to set these permissions for all user accounts (?) in my domain, but it must have stopped at one point. I can't really think of any other possibility than that this must have happened during the TS licensing server installation. Can this somehow be trigged manually? Or is there another way to get this done by the book? Google brought me no further.
The obvious and simple workaround was to simply add the permissions manually through powershell and hope for the best, but it still leaves me with a feeling that something is not quite right.
Update:
Thanks to powershell I succeeded in finding a pattern. The following script lists all users where "Terminal Server License Servers" have access rights:
$users = get-user | get-adpermission -user s-1-5-32-561
write-host $users.count
$count = 0
while ($count -lt $users.count)
{
write-host $count $users[$count].identity
$count++
}
The users listed had the following in common; they either:
a) were created after we upgraded the domain from windows 2000 to Windows 2003 (SP1)
or
b) were members of domain admins, account operators or printer operators.
We already know that new accounts receive the correct access right upon creation and admins/operators accounts automatically have their access rights adjusted automatically by Active Directory mechanisms running hourly on the PDC-emulator according to permissions set on System/adminSDholder container in AD (just try adding a user to account operators and notice that account operators access rights to this user account will disappear after a while by itself).
In other words - these permissions have never been applied to all user accounts in the domain. I cannot imagine that this is by design, if it was there would be a lot of MS customers scratching their heads. I suppose our domain is an exception, so I guess I'll just stick to applying the necessary access rights settings by powershell (with the following command).
get-user * | Add-ADPermission -user S-1-5-32-561 -accessrights ReadProperty,Writeproperty -properties Terminal-Server -inheritancetype none
