Tag Archives: rds

Reduce RDS SPLA CALS (licensing)

Leave a reply

From https://social.technet.microsoft.com/Forums/ie/en-US/eac06eab-3455-4d8e-8698-ddb8d4189e64/reducing-the-number-of-remote-desktop-licensing-peruser-cals-?forum=winserverTS

We can use the following commands

Get-WmiObject Win32_TSLicenseKeyPack|Select KeyPackId, ProductVersion, TotalLicenses, TypeAndModel|Format-List

Invoke-WmiMethod -Class Win32_TSLicenseKeyPack -Name RemoveLicensesWithIdCount -ArgumentList <Keypack>,<NumberofLicensesToRemove>

For Example, if we had 14 RDS cals, and wanted to reduce them to 12:

PS C:\Windows\system32> Get-WmiObject Win32_TSLicenseKeyPack|Select KeyPackId, ProductVersion, TotalLicenses, TypeAndModel|Format-List

KeyPackId : 2
ProductVersion : Windows 2000 Server
TotalLicenses : 4294967295
TypeAndModel : Built-in TS Per Device CAL

KeyPackId : 3
ProductVersion : Windows Server 2019
TotalLicenses : 14
TypeAndModel : RDS Per User CAL

You can see KeyPackId 3 has the RDS cals we want to reduce, we would use the command:

Invoke-WmiMethod -Class Win32_TSLicenseKeyPack -Name RemoveLicensesWithIdCount -ArgumentList 3,2

This would reduce Keypack 3 by 2 licenses, bringing it to a total of 12.

Allow non admins to manage RDS connection

1 Reply

I had a server 2016 RDS server using a combination of Terminal Servers and remoteapps, and we had a user that wanted the ability to log users off.  The user in question was not a local admin on the server, so I created an AD group, added her and ran the following command from an elevated prompt on the RDS Server:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName=”RDP-Tcp”) CALL AddAccount “anonit\USR-SEC-AllowRDSLogoff”,2

Where anonit\USR-SEC_AllowRDSLogoff is the group that would have permission to logoff users.

 

This ONLY takes affect once the accounts have logged in.  eg:  User1 is the kicker and User2 is the kickee.  Once I’ve modified the server, User1 doesn’t have permission to log User2 out until User2 has initiated a new logon session.

 

References:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753032(v=ws.11)?redirectedfrom=MSDN

https://social.technet.microsoft.com/Forums/en-US/0d119172-1100-4f9d-accd-e2504e5f4908/rds-2012-configure-permissions-for-remote-desktop-services-connections?forum=winserverTS

https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/add-user-services-rdp-permissions

https://docs.microsoft.com/en-us/windows/win32/termserv/win32-tspermissionssetting

https://docs.microsoft.com/en-us/windows/win32/termserv/win32-tspermissionssetting-addaccount (explains the magic number 2)