I need to know how the licensing is worked out for Active Role
Is it per user? If so, is that enable user only ALL users? What about other objects do they need a license?
Thanks in advance
I would suggest you have a read through the AdminGuide (starting on pg 563 for version 6.9) where there is discussion of "Managed Object Statistics".
To quickly summarize:
1) There is a built-in scheduled task called "Managed Object Counter" that counts managed objects
2) You can choose to exclude objects (i.e. their OUs) from being counted by the Statistics process by applying the policy called "Built-in Policy - Exclude from Managed Scope" to the OU(s). So to your point about your "leavers", you could apply the above policy to the OU(s) containing these objects and your statistics would no longer count them.
3) If you would like to be warned when you are reaching your managed objects limit (as determined by you), you can configure notification of this by a built in workflow called "Notification of managed object excess (Template)" found in Configuration | Policies | Workflow | Builtin
AFAIK, the license is expected to cover all enabled accounts, and does not distinguish between employee, service, generic, etc. And I would not expect Dell to be okay with excluding arbitrary OUs from that count. That said, I will confirm this with Dell, because on the off-chance that the previous posts in this thread are actually correct, then we can drop our own licensing by a couple of thousand enabled accounts that fit the above criteria.
Active Roles is licensed based on Managed and Enabled User Account objects.
An "Enabled User Account" does not include inter-domain trust accounts, contacts, disabled mailbox-enabled user accounts in an Exchange resource forest. Computer object and Group object management also does not count against the licensing count.
By default, all User Account objects are Managed. If you wish to exclude a Domain or one or more OU's from the Managed scope, use the "Built-in Policy - Exclude from Managed Scope" Policy.