We help IT Professionals succeed at work.

Restricting terminal server device license acquisition

I'd like to know if there is a way that I can restrict my TS device Cals to a specific subnet. Other devices are using up my TS device that I use for my thin clients.  I'd like to be able to restrict the licenses to devices on a single subnet.  I had tried a product called SecureRDP by 2X thinking that it would do this for me by restricting RDP connections to only a single subnet for thin clients.  The problem is that even though no RDP connection is made, a license is still acquired by the connecting device.  Is there any way to accomplish this?
Watch Question

Well, you could use IPSec restrictions on the NIC to block traffic from the other servers but that may have other side effects.  Your AD is what is telling your servers where to look for TS Licensing.  There are 2 modes for a license server, I think they are domain/workgroup and enterprise (something like that).  You could reinstall licensing and make sure you pick the role that is less broad.  It takes about 10 minutes to remove TS Licensing, add it back, and re-issue you TCALs.  You could also point every other server to a different install of TS Licensing.  Make a GPO linking to a special OU and put the terminal server in that serves the thin clients.  Use the GPO to specify your special license server and set the same up for all of the other servers.  Only servers in Terminal Server Mode will take a TCAL.  

On the other hand...why don't you simply reissue you TCALs as Per User; Per User TCALs are not tracked at all and the number will never decrement.


We use a per device license.  This helps when you run call centers that can have a high rate of turn over.  From what I understand, per user licenses will stick with that user until they haven't logged in for 58 to 90 days.  I thought there'd be a way to limit the distribution of licenses to a particular subnet.  

Per User licenses are not tracked and thus never decrement although, legally, you are best with per device if your users outnumber your devices.  They haven't put a tracking mechanism in place for per user TCALs yet so if you are pretty much even users:computers then Per User is the way to go.  
I have never seen a built-in way to limit the distribution of TCALs but you can use GPO to direct your servers so it is certainly possible that way.  


I currently use a GPO to tell any device connecting to the server farm where to get a licesne.  The problem is that if an RDP session is opened by a PC, it also will pick up a license.  All of the thin clients that we use are on the same subnet. PCs exist on a different subnet.  Our users are actually equal to our devices and should never be uneven.  If anything we should have more devices than users do to someone no longer working for the company.  So, what happens when all of the per user TS Cals are used?  Does it give temp licenses like the TS per Device method?
Cláudio RodriguesFounder and CEO

Per User TS CALs are never 'used' or tracked/enforced. So you never run out of them if you understand it. This is the opposite from per device TS CALs where if one is not available and your temporary one expired you are actually denied a connection to the TS.
I just do not understand what your problem is.
If a device that is not supposed to get a license gets one, that device, if not used, will 'return' that license after a maximum of 89 days. During the meantime if another device that really needs a license connects, if there are no licenses available they get a temporary one, good for 90 days. So by the time it needs a full one the one the other device took will be back to the pool and you should be ok.
If you are not ok that means there are devices that are actually using licenses and you do not have them or these devices may have older firmwares (if thin clients) and there is a bug on them regarding licensing handling (most manufacturers released new firmwares that addressed that).

Claudio Rodrigues

Microsoft MVP
Windows Server - Terminal Services
What is happening is a misunderstanding of how the licenseing is directed.  You point a server, not a client.  The clients sign into servers but the servers request TCALs from specified license servers.  The clients do not get them directly from a license server.  
You can GPO every server in your network to a "dummy" license server and then GPO the ones you care about to the good one with all of your TCALs.  
Per User licenses will only be taken from servers that are configured as Per User and the same goes for Per Device.  You can load both types of licenses on one server and servers that take one type will look at that type only.  
Forced accept.

EE Admin

Explore More ContentExplore courses, solutions, and other research materials related to this topic.