Microsoft AD RMS is a troublesome licensing issue for any organization that has had to use it for a period of time. As users come and go, licenses are expected to be returned and reused by the next person, within reasonable boundaries. Quoting the Microsoft Product Terms (Sep 1 2016)

"9. License Assignment and Reassignment

Before Customer uses software under a License, it must assign that License to a device or user, as appropriate. Customer may reassign a License to another device or user, but not less than 90 days since the last reassignment of that same License, unless the reassignment is due to (i) permanent hardware failure or loss, (ii) termination of the user’s employment or contract or (iii) temporary reallocation of CALs, Client Management Licenses and user or device SLs to cover a user’s absence or the unavailability of a device that is out of service."

What this means in practice is that you need to keep track of the previous 90 days worth of usage - if going by User CAL, the number of unique users using the product within those 90 days is the number of licenses you will need in order to stay license compliant.

Why is this troublesome for organizations using AD RMS? Because Microsoft does not provide the tools necessary for you to keep track of AD RMS usage.

Observe:

Statistics Reports - gives you the count of every AD RMS license consumed ever. This includes active and discarded users, and may be inflated for users that have more than 1 email address tied to their exchange account.

In fact you can produce the same report yourself in T-SQL by running this query against the DRMS_Config_xxxx database:

SELECT count(*) FROM UD_Users

Looking at the other reports, System Health and Troubleshooting, provide you with reports more useful for performance tuning and troubleshooting purposes than for licensing.

As a product consumer you are left with the following options:

1. License every user in the organization

2. Employ security measures to prevent accidental AD RMS consumption by the wrong user. You could technically modify the access to the "/_wmcs/Certification/Certification.asmx" to restrict access to a specific AD group. Take note however that Microsoft recommends

"Default permissions should be kept, which causes users to be prompted for domain credentials when they access the service externally. Default permissions also provide temporary RACs to users on computers not managed by the organization’s IT department."

https://technet.microsoft.com/en-us/library/dd996632(v=ws.10).aspx

3. Figure another way to keep track of AD RMS consumption

Here's a custom query I want to share, querying the DRMS_Logging_xxxx table:

SELECT DISTINCT RequestUser.UserName FROM RequestUser INNER JOIN ServiceRequest ON RequestUser.RequestUserId = ServiceRequest.RequestUserId WHERE ServiceRequest.RequestTime > DATEADD(day, -90, getutcdate()) ORDER BY RequestUser.UserName

I got the idea from a published AD RMS Log Purging sample (https://technet.microsoft.com/en-us/library/dd941624(v=ws.10).aspx), producing a report for 90 days prior to the current date, then outputs the usernames in the query for you to verify that they are actual human beings that have used AD RMS in the past 90 days.

Cheers.