Keeping track of AD RMS License usage

September 27, 2016

Microsoft AD RMS is a troublesome licensing issue for any organization that has had to use it for a period of time. As users come and go, licenses are expected to be returned and reused by the next person, within reasonable boundaries. Quoting the Microsoft Product Terms (Sep 1 2016)

"9. License Assignment and Reassignment

Before Customer uses software under a License, it must assign that License to a device or user, as appropriate. Customer may reassign a License to another device or user, but not less than 90 days since the last reassignment of that same License, unless the reassignment is due to (i) permanent hardware failure or loss, (ii) termination of the user’s employment or contract or (iii) temporary reallocation of CALs, Client Management Licenses and user or device SLs to cover a user’s absence or the unavailability of a device that is out of service."

What this means in practice is that you need to keep track of the previous 90 days worth of usage - if going by User CAL, the number of unique users using the product within those 90 days is the number of licenses you will need in order to stay license compliant.

 

Why is this troublesome for organizations using AD RMS? Because Microsoft does not provide the tools necessary for you to keep track of AD RMS usage.

Observe:

Statistics Reports - gives you the count of every AD RMS license consumed ever. This includes active and discarded users, and may be inflated for users that have more than 1 email address tied to their exchange account.

In fact you can produce the same report yourself in T-SQL by running this query against the DRMS_Config_xxxx database: 

 

SELECT count(*) FROM UD_Users

 

Looking at the other reports, System Health and Troubleshooting, provide you with reports more useful for performance tuning and troubleshooting purposes than for licensing.

 

As a product consumer you are left with the following options:

1. License every user in the organization

2. Employ security measures to prevent accidental AD RMS consumption by the wrong user. You could technically modify the access to the "/_wmcs/Certification/Certification.asmx" to restrict access to a specific AD group. Take note however that Microsoft recommends

"Default permissions should be kept, which causes users to be prompted for domain credentials when they access the service externally. Default permissions also provide temporary RACs to users on computers not managed by the organization’s IT department."

https://technet.microsoft.com/en-us/library/dd996632(v=ws.10).aspx

3. Figure another way to keep track of AD RMS consumption

Here's a custom query I want to share, querying the DRMS_Logging_xxxx table:

 

SELECT DISTINCT RequestUser.UserName FROM RequestUser INNER JOIN ServiceRequest ON RequestUser.RequestUserId = ServiceRequest.RequestUserId 
WHERE ServiceRequest.RequestTime > DATEADD(day, -90,  getutcdate())
ORDER BY RequestUser.UserName

 

I got the idea from a published AD RMS Log Purging sample (https://technet.microsoft.com/en-us/library/dd941624(v=ws.10).aspx), producing a report for 90 days prior to the current date, then outputs the usernames in the query for you to verify that they are actual human beings that have used AD RMS in the past 90 days.

 

Cheers.

 

 

 

 

Please reload

Featured Posts

Firewall to Azure Site to Site VPN

April 16, 2019

1/3
Please reload

Recent Posts
Please reload

Archive
Please reload

Search By Tags
Please reload

Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

 © 2020 by IT Re-engineering Pte Ltd | Privacy Policy   Terms of Use