Licensing 101. Part 2. What should be counted?

Once you decide on the type of license (term, perpetual etc.), the very next question usually is: "How is this product licensed?", and the strange and wonderful world opens its doors :) Different products are licensed differently, and sometimes even the same product can be licensed in different ways.

 

Part 2. What should be counted?

Generally speaking, Quest has products that deal with a specific area of specific platform, be it Microsoft Active Directory, Exchange, SharePoint or Privilege Manager for Unix, though there are some products that are distinctly cross-platform: InTrust, Privileged Session Manager etc. Within each specific area, usually there is a well-known, traditional way of counting things.

Active Directory

A standard approach is to count all enabled 'user accounts' - i.e. all Active Directory objects of class user, that are not disabled, no matter who uses them - humans, services, applications. Yes, it may seem unfair to pay for services and applications - but that is what being counted, and your salesperson will probably alleviate the unfairness by giving you a gentler price. But technically, when an application starts it asks Active Directory - how many enabled user accounts are there? - and compares this number to the license.

Some products count all enabled user accounts in all domains in a given forest (e.g. Change Auditor), some ask only a current domain (Security Explorer), but some products have a more sophisticated way of counting only objects that were chosen for management (e.g. Password Manager, Enterprise Reporter, Active Roles).

Even if a product does not require a license (like Active Roles), it nevertheless keeps the count of how many enabled user objects were there within the defined scopes of management, and keeps that information averaged by time period, so that it is possible to assess how compliant has the client been.

Interestingly, different products ask somewhat different questions:

Recovery Manager for AD asks a different LDAP query depending on a version(!) (and, of course, if you have more than 10 000 users, you can't even ask this LDAP query in ADUC, see How is the number of active users calculated for licensing? )

Versions prior to 8.2.1:
(samAccountType=805306368)(objectSid=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)

Versions 8.2.1 and 8.5.x:
(&(samAccountType=805306368)(objectSid=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(!objectclass=computer)(!serviceprincipalname=*:16993*)))

Versions 8.6.1 - 8.6.4:
(&(samAccountType=805306368)(objectSid=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!objectclass=computer)(!objectclass=hpqTarget))

Version 8.7 and later:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Change Auditor asks different LDAP queries depending on the type of license:

Generic User Count Query (for AD, Defender, File System, SQL Server, EMC, NetApp licensing):

(&(objectCategory=Person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

 Mail Enabled User Count Query (for Exchange licensing):

(&(samAccountType=805306368)(|(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(msExchHomeServerName=*))(&(userAccountControl:1.2.840.113556.1.4.803:=2)(msExchMasterAccountSid=*))))

Exchange

For most products (Change Auditor, Unified Communications Suite etc.) we count mailbox-enabled users, i.e. all the users in the forest that have a mailbox. Again, regardless whether it is used by a human or a device or a conference room etc. Alternatively, Collaboration Services for Exchange used to be licensed per any synchronized object, be it a user, group, contact etc.

------------------------------------------------------------------

If you have multiple forests, you will need separate licenses for each forest - the only exception would be when other forests are test or dev forests, then you can apply the same production license. If you are also consolidating multiple forests, you would need separate licenses. Since the numbers of users will be constantly changing, to avoid continuous need to request and re-apply different licenses you may want to ask your salesperson to issue one perpetual license that will cover the target forest (where you would consolidate your users) with the ultimate number of users, and to issue a temporary license for migrated forest.

So the best way to learn about the real way your users or mailboxes or objects are counted, would be to consult our Knowledge Base and search for keywords LDAP and license in the appropriate product section. 

About the Author