Solved

user CALS vs. device CALS

Posted on 2014-04-17
5
4,369 Views
Last Modified: 2014-04-17
Hello…

I believe I understand the basic differences between user CALS and device CALS. If there are online links to clarify my question, please advise.

For example, if I have 50 office PCs connected to a server and I have 100 users working two shifts and sharing use of the 50 PCs…then all I need is 50 device CALS. But if the reverse were true and I had 100 PCs and I had only one shift of 50 workers using those 100 computers…then all I need is 50 user CALS.
 
Anyway, my question is a little more specific.

Our corporate headquarter personnel (managers, supervisors, and support staff persons) all have individual login accounts (relative to Active Directory).
 
But in each of our remote locations the employees log each PC at that location into the Windows Active Directory user account for that location. For example, we may have 5 employees at a (remote) downtown location, but all 10 PCs (devices) at the store are logged into Windows Active Directory user account named “Downtown Store”. The same would be true for employees working at the (remote) airport location. There may be 10 PCs (devices) logged into Windows Active Directory user account named “Airport Location” but there are only 5 employees using those 10 PCs.
 
My question is, “If I have 10 PCs logged into the same Windows Active Directory users account (like the “Downtown Store” or “Airport Location” examples used here) is Windows only going to count the 5 physical users as needing 1 CAL each for a total of 5 CALS...for that location?
 
The point I need to verify is that if I have more PCs logged into the same Active Directory user account than I have physical users of those PCs, I only need to total the user CALS for the PHYSICAL users of that user account.

Thank you for your time...

L Long
0
Comment
Question by:LLong29
5 Comments
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 333 total points
ID: 40007236
Here is a simple breakdown of the two:  http://social.technet.microsoft.com/Forums/en-US/53e9a1ff-95b5-41e2-adce-88aad698f86e/difference-between-per-user-or-per-device-license?forum=winservergen

Per Device means you have a license/CAL per device connecting to a Microsoft Windows Server/Application.  Per User means that for example even if you have 20 devices and 300 users, you still would need 300 CALs if you were going to do Per User and each user had their own account.

For example, if I have 50 office PCs connected to a server and I have 100 users working two shifts and sharing use of the 50 PCs…then all I need is 50 device CALS. But if the reverse were true and I had 100 PCs and I had only one shift of 50 workers using those 100 computers…then all I need is 50 user CALS.
This is correct.

For example, we may have 5 employees at a (remote) downtown location, but all 10 PCs (devices) at the store are logged into Windows Active Directory user account named “Downtown Store”.
This does not matter as CALs are not based on Active Directory users, but rather real human users.  So for however many people access one shared account, you'd still need that many CALs.

Windows only going to count the 5 physical users as needing 1 CAL each for a total of 5 CALS...for that location?
Yes.

The point I need to verify is that if I have more PCs logged into the same Active Directory user account than I have physical users of those PCs, I only need to total the user CALS for the PHYSICAL users of that user account.
Again, yes you are right about this.

Keep in mind this one thing about CALs.  With Microsoft there usually isn't (unless in the case of some apps, Remote Desktop items, and a few other one offs) something keeping track of this and watching.  You have to keep track of it and be diligent to make sure you have the CALs so if you get audited you're not in trouble.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 167 total points
ID: 40007253
First the obligatory, but very important disclaimer:

No advice given on EE or in any forum is legally binding. It will not protect you if you find yourself in legal hot water for licensing violations. It is *always* best to get written documentation from the license grantor if you are in doubt.

Now, with that said...

Accounts don't matter. You don't buy a CAL for an account. You can't create a single user account, for example, and buy one user CAL and expect it to cover any user that happens to have that password. That's illegal.

So with that in mind, since accounts don't actually have a direct relation to CALs, I also suggest that it is a terribly poor security practice to use generic accounts like "downtown" or "airport." Each user should *always* have their own account and then you can use security groups to manage settings that need to apply to an entire group. Since generic accounts don't provide any benefit licensing-wise, the only thing they do is make your network less secure, for almost no gain.

But, back to licensing. If you use the user CAL model, a CAL *must* be bought for each individual. It doesn't matter if they use a generic account or not. They are a person and if you get audited (and you very likely will sometime), you need to show that you were following the licensing rules.

I recommend, at the very least, using some sort of paper tracking mechanism. A spreadsheet with the agreement #, the number of CALs purchased, and then a list of users and the date you "assigned" a CAL to them, and maybe a status like "Active" or "Inactive."  Your "active" user count should never be higher than the number of purchased CALs, and the assigned date can demonstrate that you aren't transferring CALs more often than the licensing allows (such as every 90 days.)

Similarly, if you go the device route, *every* device needs a CAL. That includes smartphones, tablets, BYOD devices....and tracking them should be done similarly. Number of purchased CALs. List of active devices. Date the CAL was "assigned" to the device, etc.

If an audit shows up and turns up even a single person who does not have a CAL and was on the network using a device that also did not have a CAL, you can end up getting hit with BIG fines. Not worth the risk.

-Cliff
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40007464
Yes it is up to 1/4 of your total CALS than can be re-assigned every 90 days from date of issuance.
0
 
LVL 17

Assisted Solution

by:Brad Bouchard
Brad Bouchard earned 333 total points
ID: 40007518
 Your "active" user count should never be higher than the number of purchased CALs,
While this is a good practice, you can actually be within 5-10 CALs on most Microsoft products.
0
 

Author Comment

by:LLong29
ID: 40007819
Thank you for your replies...

As far as our current practice for using generic AD user accounts to log in Windows PCs, that practice was in place before I started here.
 
As mentioned, the corporate office personnel each have individual AD accounts with different levels of access assigned per person. But the Windows PCs (in the various offices around the city) that are logged into generic AD accounts run customized POS (Point of Sale) software that employees login by name and password. Therefore each employees’ work and data follow them by their name and password in the POS system…regardless of which computer they work from at their current office location.

And thank you again for your replies...

L Long
0

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now