We have a Windows 2003 domain and have just set up some terminal servers using a Windows 2008 terminal server licensing manager server in the domain (we are using per user licensing). This license server is not a DC.
Our problem is that mostusers will not be assigned licenses from the license server and the eventviewer says:
The Terminal Services license server cannot update the license attributes for user "XXX" in the Active Directory Domain "mydomain.intern". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "dirnat.intern".
If the license server is installed on a domain controller, the Network Service account also needs to be a member of the Terminal Server License Servers group.
If the license server is installed on a domain controller, after you have added the appropriate accounts to the Terminal Server License Servers group, you must restart the Terminal Services Licensing service to track or report the usage of TS Per User CALs.
Well, sure enough the server in question was not member of the "Terminal Server License Servers" group at first but was added. Restarted (both ts and licensing servers) and the situation is still the same.
A little further investigation shows that this problem occours for apx 3 out of 4 users. Checking users permissions with powershell get-adpermission reveals that the group "Terminal Server License Servers" is present with some special permissions on the accounts who works, and is absent on the rest. At first it looked like it was a inheritance problem, but the users OU shows no trace of the "Terminal Server Licensing Servers"-group. Interestingly enough all newly created users gets the correct permissions which makes me think that the permissions are added as a part of default settings from the AD-Schema. I can see that the "Terminal Server Licensing Servers"-group is present with permssions on the users objevt, but the AD Schema mmc-snapin doesnt seem to be able to list which particular permissions this is.
Anyway - at one point a job must have been triggered that tried to set these permissions for all user accounts (?) in my domain, but it must have stopped at one point. Is there a way I can trig this manually? Or is there another way to get this done by the book?
I was thinking I could simply set the permissions manually through powershell and hope for the best, but I really don't like doing that in case this is a sign that something else is wrong with my AD. I suspect this because profile-folders seem to be inconsistent on some users (some are created as USERNAME.V2 while others are created as USERNAME.DOMAIN.V2 and some users gets both of them and the TS keeps alternating between them..) Strange thing, but perhaps this is all connected.
Anyone have a suggestion here?. Should I fix the accounts with a set-adpermission command or choose another approach?
There seems to be others with quite similar problems in this thread:
