Event 4105 and no TS CAL issued in Server 2008

Hi, everyone!

When I log on as a Remote Desktop User to Terminal Services in Windows
Server 2008 event 4105 is logged on the license server:

=============================================
Log Name: System
Source: Microsoft-Windows-TerminalServices-Licensing
Date: 2009-02-23 16:24:13
Event ID: 4105
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: <removed>
Description:
The Terminal Services license server cannot update the license attributes
for user "<removed>" in the Active Directory Domain "<removed>". Ensure that
the computer account for the license server is a member of Terminal Server
License Servers group in Active Directory domain "<removed>".
If the license server is installed on a domain controller, the Network
Service account also needs to be a member of the Terminal Server License
Servers group.
If the license server is installed on a domain controller, after you have
added the appropriate accounts to the Terminal Server License Servers group,
you must restart the Terminal Services Licensing service to track or report
the usage of TS Per User CALs.
Win32 error code: 0x80070005
=============================================

The license server is hosted on a Win2008 Domain Controller.
The terminal server is a Win2008 server in the same domain.

I have added the computer account for the license server and the Network
Service account to the Terminal Server License Servers group, but with no
luck.

This error doesn't occur when a domain admin logs on. According to the
reports in the Licensing Manager CALs are only issued when a domain admin
logs on.

There are three domain controllers in the domain; one Win2008, one Win2003
and one Win2003 R2. Adprep was successfully applied when the 2008 DC was
installed.

Any help is appreciated!

MrSpock

 

Finally, it works!

For those of you experiencing the same problem, I'll give you my solution.
The cause to all this is missing permissions for the Terminal Server License
Server group on user objects in Active Directory that existed before
upgrading the AD Schema to Windows 2008. Users added after the upgrade is
alright. I wrote a Powershell script that enumerates all users in the AD,
checks if the permissions are OK, and if not adds the missing access role.

=============================================
# Description: This script will add missing permissions for the Terminal
Server License Server group to user objects in Active Directory.
# This may solve problems with TS CALs not beeing issued and event id
4105 being logged at the license server.

# Constants
$URL = "LDAP://DC=yourdomain,DC=com"

cls
$root = New-Object DirectoryServices.DirectoryEntry $URL
$ds = New-Object DirectoryServices.DirectorySearcher
$ds.SearchRoot = $root
$ds.filter = "objectCategory=Person"
$src = $ds.findall()
write-host "Found" $src.count "user objects.`n"
$src | %{
$de = $_.getdirectoryentry()
$accessrules = $de.get_objectsecurity().getaccessrules($true, $false,
[System.Security.Principal.SecurityIdentifier]) | ?{$_.ObjectType -eq
"5805bc62-bdc9-4428-a5e2-856a0f4c185e"}
if ((measure-object -inputobject $accessrules).count -eq 0)
{
$ar = new-object
System.DirectoryServices.ActiveDirectoryAccessRule([System.Security.Principal.SecurityIdentifier]"S-1-5-32-561",
48, "Allow", [guid]"5805bc62-bdc9-4428-a5e2-856a0f4c185e")
$de.get_objectsecurity().addaccessrule($ar)
$de.commitchanges()
write-host -f yellow ("Added:`t" + $de.properties["sAMAccountName"])
start-sleep -m 200
}
else
{
write-host -f green ("OK:`t" + $de.properties["sAMAccountName"])
}
}
=============================================

Run the script once again and all users should be marked "OK".

MrSpock


"MrSpock77" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi, everyone!
>
> When I log on as a Remote Desktop User to Terminal Services in Windows
> Server 2008 event 4105 is logged on the license server:
>
> =============================================
> Log Name: System
> Source: Microsoft-Windows-TerminalServices-Licensing
> Date: 2009-02-23 16:24:13
> Event ID: 4105
> Task Category: None
> Level: Warning
> Keywords: Classic
> User: N/A
> Computer: <removed>
> Description:
> The Terminal Services license server cannot update the license attributes
> for user "<removed>" in the Active Directory Domain "<removed>". Ensure that
> the computer account for the license server is a member of Terminal Server
> License Servers group in Active Directory domain "<removed>".
> If the license server is installed on a domain controller, the Network
> Service account also needs to be a member of the Terminal Server License
> Servers group.
> If the license server is installed on a domain controller, after you have
> added the appropriate accounts to the Terminal Server License Servers group,
> you must restart the Terminal Services Licensing service to track or report
> the usage of TS Per User CALs.
> Win32 error code: 0x80070005
> =============================================
>
> The license server is hosted on a Win2008 Domain Controller.
> The terminal server is a Win2008 server in the same domain.
>
> I have added the computer account for the license server and the Network
> Service account to the Terminal Server License Servers group, but with no
> luck.
>
> This error doesn't occur when a domain admin logs on. According to the
> reports in the Licensing Manager CALs are only issued when a domain admin
> logs on.
>
> There are three domain controllers in the domain; one Win2008, one Win2003
> and one Win2003 R2. Adprep was successfully applied when the 2008 DC was
> installed.
>
> Any help is appreciated!
>
> MrSpock<!--colorc--><!--/colorc-->

 

Hi MrSpock77,

I have exactly the same Problem at my TS. As I started your script an error
appears:

+ $accessrules = $de.get_objectsecurity( <<<< ).getaccessrules($true, $false,
Exception calling "get_objectsecurity" with "0" argument(s): "Unknown name.
(Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME))"

Can you help me further, pls!?

"MrSpock77" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Finally, it works!
>
> For those of you experiencing the same problem, I'll give you my solution.
> The cause to all this is missing permissions for the Terminal Server License
> Server group on user objects in Active Directory that existed before
> upgrading the AD Schema to Windows 2008. Users added after the upgrade is
> alright. I wrote a Powershell script that enumerates all users in the AD,
> checks if the permissions are OK, and if not adds the missing access role.
>
> =============================================
> # Description: This script will add missing permissions for the Terminal
> Server License Server group to user objects in Active Directory.
> # This may solve problems with TS CALs not beeing issued and event id
> 4105 being logged at the license server.
>
> # Constants
> $URL = "LDAP://DC=yourdomain,DC=com"
>
> cls
> $root = New-Object DirectoryServices.DirectoryEntry $URL
> $ds = New-Object DirectoryServices.DirectorySearcher
> $ds.SearchRoot = $root
> $ds.filter = "objectCategory=Person"
> $src = $ds.findall()
> write-host "Found" $src.count "user objects.`n"
> $src | %{
> $de = $_.getdirectoryentry()
> $accessrules = $de.get_objectsecurity().getaccessrules($true, $false,
> [System.Security.Principal.SecurityIdentifier]) | ?{$_.ObjectType -eq
> "5805bc62-bdc9-4428-a5e2-856a0f4c185e"}
> if ((measure-object -inputobject $accessrules).count -eq 0)
> {
> $ar = new-object
> System.DirectoryServices.ActiveDirectoryAccessRule([System.Security.Principal.SecurityIdentifier]"S-1-5-32-561",
> 48, "Allow", [guid]"5805bc62-bdc9-4428-a5e2-856a0f4c185e")
> $de.get_objectsecurity().addaccessrule($ar)
> $de.commitchanges()
> write-host -f yellow ("Added:`t" + $de.properties["sAMAccountName"])
> start-sleep -m 200
> }
> else
> {
> write-host -f green ("OK:`t" + $de.properties["sAMAccountName"])
> }
> }
> =============================================
>
> Run the script once again and all users should be marked "OK".
>
> MrSpock
>
>
> "MrSpock77" wrote:
> <!--coloro:green--><span style="color:green <!--/coloro-->
> > Hi, everyone!
> >
> > When I log on as a Remote Desktop User to Terminal Services in Windows
> > Server 2008 event 4105 is logged on the license server:
> >
> > =============================================
> > Log Name: System
> > Source: Microsoft-Windows-TerminalServices-Licensing
> > Date: 2009-02-23 16:24:13
> > Event ID: 4105
> > Task Category: None
> > Level: Warning
> > Keywords: Classic
> > User: N/A
> > Computer: <removed>
> > Description:
> > The Terminal Services license server cannot update the license attributes
> > for user "<removed>" in the Active Directory Domain "<removed>". Ensure that
> > the computer account for the license server is a member of Terminal Server
> > License Servers group in Active Directory domain "<removed>".
> > If the license server is installed on a domain controller, the Network
> > Service account also needs to be a member of the Terminal Server License
> > Servers group.
> > If the license server is installed on a domain controller, after you have
> > added the appropriate accounts to the Terminal Server License Servers group,
> > you must restart the Terminal Services Licensing service to track or report
> > the usage of TS Per User CALs.
> > Win32 error code: 0x80070005
> > =============================================
> >
> > The license server is hosted on a Win2008 Domain Controller.
> > The terminal server is a Win2008 server in the same domain.
> >
> > I have added the computer account for the license server and the Network
> > Service account to the Terminal Server License Servers group, but with no
> > luck.
> >
> > This error doesn't occur when a domain admin logs on. According to the
> > reports in the Licensing Manager CALs are only issued when a domain admin
> > logs on.
> >
> > There are three domain controllers in the domain; one Win2008, one Win2003
> > and one Win2003 R2. Adprep was successfully applied when the 2008 DC was
> > installed.
> >
> > Any help is appreciated!
> >
> > MrSpock<!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->

 

Hi, M@z!

You may have lost some line breaks due to bad formatting. Try to download
this file instead with preserved line breaks.



MrSpock



"m@z" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi MrSpock77,
>
> I have exactly the same Problem at my TS. As I started your script an error
> appears:
>
> + $accessrules = $de.get_objectsecurity( <<<< ).getaccessrules($true, $false,
> Exception calling "get_objectsecurity" with "0" argument(s): "Unknown name.
> (Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME))"
>
> Can you help me further, pls!?<!--colorc--><!--/colorc-->

 

You may also try to upgrade your PowerShell to latest version:



MrSpock


"MrSpock77" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi, M@z!
>
> You may have lost some line breaks due to bad formatting. Try to download
> this file instead with preserved line breaks.
>
>
>
> MrSpock
>
>
>
> "m@z" wrote:
> <!--coloro:green--><span style="color:green <!--/coloro-->
> > Hi MrSpock77,
> >
> > I have exactly the same Problem at my TS. As I started your script an error
> > appears:
> >
> > + $accessrules = $de.get_objectsecurity( <<<< ).getaccessrules($true, $false,
> > Exception calling "get_objectsecurity" with "0" argument(s): "Unknown name.
> > (Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME))"
> >
> > Can you help me further, pls!?<!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->

 

Hi, thx for the download!

I got the script, but do I really need PowerShell v2 to run the script?



"MrSpock77" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> You may also try to upgrade your PowerShell to latest version:
>
>
>
> MrSpock
>
>
> "MrSpock77" wrote:
> <!--coloro:green--><span style="color:green <!--/coloro-->
> > Hi, M@z!
> >
> > You may have lost some line breaks due to bad formatting. Try to download
> > this file instead with preserved line breaks.
> >
> >
> >
> > MrSpock
> >
> >
> >
> > "m@z" wrote:
> > <!--coloro:darkred--><span style="color:darkred <!--/coloro-->
> > > Hi MrSpock77,
> > >
> > > I have exactly the same Problem at my TS. As I started your script an error
> > > appears:
> > >
> > > + $accessrules = $de.get_objectsecurity( <<<< ).getaccessrules($true, $false,
> > > Exception calling "get_objectsecurity" with "0" argument(s): "Unknown name.
> > > (Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME))"
> > >
> > > Can you help me further, pls!?<!--colorc--><!--/colorc--><!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->

 

Well, I don't know, but that's what I use. Try the script, and if it fails,
update to v2. Let me know your results.

MrSpock


"m@z" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi, thx for the download!
>
> I got the script, but do I really need PowerShell v2 to run the script?<!--colorc--><!--/colorc-->

 

I already tried and failed, so I´ll update to V2 I´ll do it tomorrow and then
let you know!

Thanks again


"MrSpock77" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Well, I don't know, but that's what I use. Try the script, and if it fails,
> update to v2. Let me know your results.
>
> MrSpock
>
>
> "m@z" wrote:
> <!--coloro:green--><span style="color:green <!--/coloro-->
> > Hi, thx for the download!
> >
> > I got the script, but do I really need PowerShell v2 to run the script?<!--colorc--><!--/colorc-->
> <!--colorc--><!--/colorc-->

 

You wouldn't happen to have written anything to create the builtin groups
(Terminal Services License Servers) as for my W2K AD DC does not have it.
Others have stated once the ADPREP has run and TS Licensing is installed on
the WS2008 it would be created but no luck here.

Thanks,
Turk

 

THANK YOU !!!

Yes I know that all caps is shouting.. but I want Mr. Spock to know that his script ran PERFECTLY and fixed one problem that has been haunting me ever since I brought this system up.

Thank you Sir...

Now if I can just figure out why 5 out of 700 users over 375 printers consistantly have print jobs hang up... I'll be walking in tall cotton.

Thank you again.. Job WELL DONE !!

Bob




MrSpock7 wrote:

RE: Event 4105 and no TS CAL issued in Server 2008
09-Mar-09

Hi, M@z!

You may have lost some line breaks due to bad formatting. Try to download
this file instead with preserved line breaks.



MrSpock



"m@z" wrote:

EggHeadCafe - Software Developer Portal of Choice
WPF DataGrid Custom Paging and Sorting