Remove the Enterprise CALs required
On Mon, 24 Sep 2012 16:19:23 +0000, erolleman wrote:
>On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote: >Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are
ok. It's easy to overlook something in the ActiveSync policies . . . real easy. One little checkbox (and it's usually one you UNcheck!) and you need Enterprise CALs. --- Rich Matheisen MCSE+I, Exchange MVP
>--- Rich Matheisen MCSE+I, Exchange MVP
>
>Could you, by any chance, think of an option in the ActiveSync policy that requires Enterprise CALs for? The licensing page that A_D_ linked me just says "Exchange ActiveSync Mobile Management Policies: Standard", which doesn't really point out which
features in the policy I can use.
This one used to be accurate (or pretty accurate):
http://gallery.technet.microsoft.com/exchange/acdcb192-f226-4517-b3f9-005dce6f4fc3
The relevant portion of the script would be this check against
assigned A/S policies on mailboxes:
if (($ASPolicy.AllowDesktopSync -eq $False) -or
($ASPolicy.AllowStorageCard -eq $False) -or
($ASPolicy.AllowCamera -eq $False) -or
($ASPolicy.AllowTextMessaging -eq $False) -or
($ASPolicy.AllowWiFi -eq $False) -or
($ASPolicy.AllowBluetooth -ne "Allow") -or
($ASPolicy.AllowIrDA -eq $False) -or
($ASPolicy.AllowInternetSharing -eq $False) -or
($ASPolicy.AllowRemoteDesktop -eq $False) -or
($ASPolicy.AllowPOPIMAPEmail -eq $False) -or
($ASPolicy.AllowConsumerEmail -eq $False) -or
($ASPolicy.AllowBrowser -eq $False) -or
($ASPolicy.AllowUnsignedApplications -eq $False) -or
($ASPolicy.AllowUnsignedInstallationPackages -eq $False)
-or
($ASPolicy.ApprovedApplicationList -ne $null) -or
($ASPolicy.UnapprovedInROMApplicationList -ne $null)) {
$Script:AdvancedActiveSyncUserCount++
$Script:EnterpriseCALMailboxIDs[$Mailbox.Identity] = $null
>
>
>
>I also couldn't really find any place where journaling is turned on, so as far as I can tell it isn't. I will look for a PowerShell script to check if any mailboxes or distribution groups have it turned on.
>
>
>
>Thanks.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
September 24th, 2012 4:07pm
Hi erolleman,
Yes, this is built-in Role Group and Management Role. Actually, there shoule be another
Identity:
Mailbox Search-Organization Management-Delegating
If there is no any other output, it means nobody can do multi-mailbox search.
For your scenario, please check it again on October 1 as the Team blog said.
By the way, the report is for informational purposes only and is estimated. If you meet the Exchange licensing requirement, you can ingore the report.Frank Wang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
September 27th, 2012 10:43pm
On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote:
>Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are ok.
It's easy to overlook something in the ActiveSync policies . . . real
easy. One little checkbox (and it's usually one you UNcheck!) and you
need Enterprise CALs.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Could you, by any chance, think of an option in the ActiveSync policy that requires Enterprise CALs for? The licensing page that A_D_ linked me just says "Exchange ActiveSync Mobile Management Policies: Standard", which doesn't really point out which features
in the policy I can use.
I also couldn't really find any place where journaling is turned on, so as far as I can tell it isn't. I will look for a PowerShell script to check if any mailboxes or distribution groups have it turned on.
Thanks.
October 26th, 2012 1:46pm
As best as I can tell we aren't using those features yet Exchange server indicates we need Standard and Enterprise CALs... Should I just assume that I'm not in license violation even though the server reports that I need Enterprise CALs?
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 2:02pm
Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are ok.
October 26th, 2012 2:05pm
Thank you for the assistance so far Frank.Wang . Below you will find the output of the command. I am pretty sure it is indicating that members of the Active Directory group "Discovery Management" have the role assigned and in a previous post I show
that no users are a member of that group.
Output:
RunspaceId : a2d7727f-e121-4da3-9253-310cad6bfbf6
User : **domain**/Microsoft Exchange Security Groups/Discovery Management
AssignmentMethod : Direct
Identity : Mailbox Search-Discovery Management
EffectiveUserName : All Group Members
AssignmentChain :
RoleAssigneeType : RoleGroup
RoleAssignee : **domain**/Microsoft Exchange Security Groups/Discovery Management
Role : Mailbox Search
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope :
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : None
RecipientWriteScope : Organization
ConfigWriteScope : None
Enabled : True
RoleAssigneeName : Discovery Management
IsValid : True
ExchangeVersion : 0.11 (14.0.550.0)
Name : Mailbox Search-Discovery Management
DistinguishedName : CN=Mailbox Search-Discovery Management,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,**domain**
Guid : f3215fb7-bc03-4765-b68b-cdbe937039c1
ObjectCategory : **domain**/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass : {top, msExchRoleAssignment}
WhenChanged : 6/27/2012 7:36:45 PM
WhenCreated : 10/21/2010 7:19:48 PM
WhenChangedUTC : 6/28/2012 2:36:45 AM
WhenCreatedUTC : 10/22/2010 2:19:48 AM
OrganizationId :
OriginatingServer : **PDC**
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 4:18pm
On Mon, 24 Sep 2012 16:19:23 +0000, erolleman wrote:
>On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote: >Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are
ok. It's easy to overlook something in the ActiveSync policies . . . real easy. One little checkbox (and it's usually one you UNcheck!) and you need Enterprise CALs. --- Rich Matheisen MCSE+I, Exchange MVP
>--- Rich Matheisen MCSE+I, Exchange MVP
>
>Could you, by any chance, think of an option in the ActiveSync policy that requires Enterprise CALs for? The licensing page that A_D_ linked me just says "Exchange ActiveSync Mobile Management Policies: Standard", which doesn't really point out which
features in the policy I can use.
This one used to be accurate (or pretty accurate):
http://gallery.technet.microsoft.com/exchange/acdcb192-f226-4517-b3f9-005dce6f4fc3
The relevant portion of the script would be this check against
assigned A/S policies on mailboxes:
if (($ASPolicy.AllowDesktopSync -eq $False) -or
($ASPolicy.AllowStorageCard -eq $False) -or
($ASPolicy.AllowCamera -eq $False) -or
($ASPolicy.AllowTextMessaging -eq $False) -or
($ASPolicy.AllowWiFi -eq $False) -or
($ASPolicy.AllowBluetooth -ne "Allow") -or
($ASPolicy.AllowIrDA -eq $False) -or
($ASPolicy.AllowInternetSharing -eq $False) -or
($ASPolicy.AllowRemoteDesktop -eq $False) -or
($ASPolicy.AllowPOPIMAPEmail -eq $False) -or
($ASPolicy.AllowConsumerEmail -eq $False) -or
($ASPolicy.AllowBrowser -eq $False) -or
($ASPolicy.AllowUnsignedApplications -eq $False) -or
($ASPolicy.AllowUnsignedInstallationPackages -eq $False)
-or
($ASPolicy.ApprovedApplicationList -ne $null) -or
($ASPolicy.UnapprovedInROMApplicationList -ne $null)) {
$Script:AdvancedActiveSyncUserCount++
$Script:EnterpriseCALMailboxIDs[$Mailbox.Identity] = $null
>
>
>
>I also couldn't really find any place where journaling is turned on, so as far as I can tell it isn't. I will look for a PowerShell script to check if any mailboxes or distribution groups have it turned on.
>
>
>
>Thanks.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
October 26th, 2012 5:34pm
On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote:
>Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are ok.
It's easy to overlook something in the ActiveSync policies . . . real
easy. One little checkbox (and it's usually one you UNcheck!) and you
need Enterprise CALs.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 6:27pm
On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote:
>Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are ok.
It's easy to overlook something in the ActiveSync policies . . . real
easy. One little checkbox (and it's usually one you UNcheck!) and you
need Enterprise CALs.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
tru dat!
October 26th, 2012 6:29pm
On Mon, 24 Sep 2012 16:19:23 +0000, erolleman wrote:
>On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote: >Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you
are ok. It's easy to overlook something in the ActiveSync policies . . . real easy. One little checkbox (and it's usually one you UNcheck!) and you need Enterprise CALs. --- Rich Matheisen MCSE+I, Exchange MVP
>--- Rich Matheisen MCSE+I, Exchange MVP
>
>Could you, by any chance, think of an option in the ActiveSync policy that requires Enterprise CALs for? The licensing page that A_D_ linked me just says "Exchange ActiveSync Mobile Management Policies: Standard", which doesn't really point out which
features in the policy I can use.
This one used to be accurate (or pretty accurate):
http://gallery.technet.microsoft.com/exchange/acdcb192-f226-4517-b3f9-005dce6f4fc3
The relevant portion of the script would be this check against
assigned A/S policies on mailboxes:
if (($ASPolicy.AllowDesktopSync -eq $False) -or
($ASPolicy.AllowStorageCard -eq $False) -or
($ASPolicy.AllowCamera -eq $False) -or
($ASPolicy.AllowTextMessaging -eq $False) -or
($ASPolicy.AllowWiFi -eq $False) -or
($ASPolicy.AllowBluetooth -ne "Allow") -or
($ASPolicy.AllowIrDA -eq $False) -or
($ASPolicy.AllowInternetSharing -eq $False) -or
($ASPolicy.AllowRemoteDesktop -eq $False) -or
($ASPolicy.AllowPOPIMAPEmail -eq $False) -or
($ASPolicy.AllowConsumerEmail -eq $False) -or
($ASPolicy.AllowBrowser -eq $False) -or
($ASPolicy.AllowUnsignedApplications -eq $False) -or
($ASPolicy.AllowUnsignedInstallationPackages -eq $False)
-or
($ASPolicy.ApprovedApplicationList -ne $null) -or
($ASPolicy.UnapprovedInROMApplicationList -ne $null)) {
$Script:AdvancedActiveSyncUserCount++
$Script:EnterpriseCALMailboxIDs[$Mailbox.Identity] = $null
>
>
>
>I also couldn't really find any place where journaling is turned on, so as far as I can tell it isn't. I will look for a PowerShell script to check if any mailboxes or distribution groups have it turned on.
>
>
>
>Thanks.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Thanks for finding the script for me. This is the report:
Total Standard CALs calculated: 52
Advanced Anti-spam Enabled: False
Info Leakage Protection Enabled: False
Unified Messaging Users calculated: 0
Managed Custom Folder Users calculated: 0
Advanced ActiveSync Policy Users calculated: 0
Archived Mailbox Users calculated: 0
Retention Policy Users calculated: 2
Searchable Users calculated: 52
Journaling Users calculated: 0
Total Enterprise CALs calculated: 52
=========================
Exchange CAL Usage Report
=========================
Total Users: 52
Total Standard CALs: 52
Total Enterprise CALs: 52
It appears that I have some "Searchable Users" enabled. Doesn't that have something to do with the Multi-User search and the discovery mailbox? Any idea on how I would remove those users from that count?
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 9:23pm
I'm pretty sure those are the people assigned the "Discovery
Management" RBAC role. That role allows the application of "Legal
Hold".
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
I thought that might be that case too, but I checked and there are no users assigned that role.
October 26th, 2012 9:25pm
I've never used Multi-Mailbox search, but I am quite new here and a previous administrator may have. No users have the Discovery Search assigned to them and therefore cannot do it. That is what I was attempting to show in my last post. Are
the Multi-Mailbox Search and the Discovery Search Role not related?
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 9:30pm
Retention Policy Users calculated: 2
Searchable Users calculated: 52
Total Enterprise CALs calculated: 52
=========================
It appears that I have some "Searchable Users" enabled. Doesn't that have something to do with the Multi-User search and the discovery mailbox?
Hi erolleman,
Do you use Multi-Mailbox Search?
Multi-Mailbox Search required an Enterprise CAL for each mailbox searche until October 1.
For more information, please see:
Announcing a licensing change for Multi-Mailbox Search
http://blogs.technet.com/b/exchange/archive/2012/07/13/announcing-a-licensing-change-for-multi-mailbox-search.aspxFrank Wang
TechNet Community Support
October 26th, 2012 11:17pm
How do I stop the Exchange server from requiring Enterprise CALs? Features were enabled that shouldn't have been.
I ensured that all mailboxes no longer have archiving enabled.
I did notice that there is a "Discovery Search Mailbox" under recipient configuration. Can I just delete this mailbox without breaking anything to remove this enterprise feature?
Are there any other things I can do to make sure I don't require Enterprise CALs and are therefore out of compliance?
Thanks for any and all help.
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 11:37pm
Hi erolleman,
Yes, this is built-in Role Group and Management Role. Actually, there shoule be another
Identity:
Mailbox Search-Organization Management-Delegating
If there is no any other output, it means nobody can do multi-mailbox search.
For your scenario, please check it again on October 1 as the Team blog said.
By the way, the report is for informational purposes only and is estimated. If you meet the Exchange licensing requirement, you can ingore the report.Frank Wang
TechNet Community Support
October 26th, 2012 11:55pm
On Mon, 24 Sep 2012 23:56:39 +0000, erolleman wrote:
[ snip ]
>Thanks for finding the script for me. This is the report:
>
>Total Standard CALs calculated: 52 Advanced Anti-spam Enabled: False Info Leakage Protection Enabled: False Unified Messaging Users calculated: 0 Managed Custom Folder Users calculated: 0 Advanced ActiveSync Policy Users calculated: 0 Archived Mailbox
Users calculated: 0 Retention Policy Users calculated: 2 Searchable Users calculated: 52 Journaling Users calculated: 0 Total Enterprise CALs calculated: 52
>
>========================= Exchange CAL Usage Report =========================
>
>Total Users: 52 Total Standard CALs: 52 Total Enterprise CALs: 52
>
>
>
>It appears that I have some "Searchable Users" enabled. Doesn't that have something to do with the Multi-User search and the discovery mailbox? Any idea on how I would remove those users from that count?
I'm pretty sure those are the people assigned the "Discovery
Management" RBAC role. That role allows the application of "Legal
Hold".
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2012 12:12am
No, do not delete that mailbox.
Exchange Server Licensing
Just look at the chart near the bottom under Enterprise CALs and ensure you arent using any of these features and you will be fine.
October 27th, 2012 12:22am
Hi erolleman,
Did you use Multi-Mailbox search in ECP or New-MailboxSearch
cmdlet ago? If yes, this is the case.
Understanding Multi-Mailbox Search
http://technet.microsoft.com/en-us/library/dd335072.aspx
Please see my last reply.Frank Wang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2012 12:33am
No users have the Discovery Search assigned to them and therefore cannot do it.Are the Multi-Mailbox Search and the Discovery Search Role not related?
Hi erollenman,
Yes, there are releated.
If admin is a member of Discovery Search Role Group, he can do the task.
However, please also run the following cmdlet to check whether admin is assigned the permission to run the mailbox search directly.
Get-ManagementRoleAssignment -Role "mailbox search"
Frank Wang
TechNet Community Support
October 27th, 2012 12:44am