Powershell tool for creating the hashed SID
Active Directory licensing does not work with the name of a domain, but with its SID. To prevent axes4 from obtaining this potentially security-relevant information, the SID is hashed using a Powershell tool, which we provide here.
The Powershell script asks for the name of the domain and the AD group. If the domain is found, the tool creates a hash of the domain SID. The hashed SID and the AD group name are displayed on the command line; the admin then sends this information to axes4 by e-mail.
Please note that the name of the AD group cannot be changed after the license file has been issued.
As always with Powershell, the script can be viewed directly so that there is transparency about how the SID is hashed.
Deploying the license token file
Using the information from the Powershell tool, axes4 creates a license token file (Json file) containing the information described above and sends it to the licensees.
This file must be distributed to the axes4 License Manager program folder of the clients using Group Policy (or a comparable deployment tool). The default path is:
C:\Program Files\axes4 License ManagerModification of the registry value for the license manager
To activate Active Directory licensing, a registry value must be set for one of the following keys (with descending priority during processing):
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\axes4\Licensing\Manager
Computer\HKEY_CURRENT_USER\Software\Policies\axes4\Licensing\Manager
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\axes4\Licensing\Manager
Computer\HKEY_CURRENT_USER\Software\axes4\Licensing\ManagerWithin these keys, the license manager searches for a string value with the name ActiveConnections and the value domain.
Licensing Manager. In the right part of the window, the string value 'ActiveConnections' with the value 'domain' is highlighted."
Changes to the AD group
If users are removed from the AD group or added to the AD group, domain clients do not update this information immediately. For performance reasons, we deliberately do not refresh the AD groups. It can therefore take up to 10 minutes after a user has been added until their group membership is confirmed and they are correctly licensed.
Random check of the number of licensed users
The check of the number of members in the AD group is not performant on the part of Windows AD. In order not to overload the domain controllers, this check only takes place sporadically, depending on the number of users.
AD subgroups, subdomains
The group of licensed users can contain subgroups.
It is also possible to add users or groups from subdomains to a parent domain group. If desired, a single license file can therefore be used for a parent domain and for several subdomains.
Exceeding the number of licensed users
If the AD group contains more members than specified in the license token file and if the random algorithm selects a client to count the group members, this one client will not be licensed. If the number of group members remains too high, this happens in the same way for subsequent clients. All other clients are not affected.
Flat licenses
Active Directory licensing includes the option of issuing flat licenses if an organization wishes to license all of its employees. There are two options:
Domain Flat
The system only checks whether a user belongs to the correct AD domain. There is no check for membership in an AD group.
Group Flat
The system checks whether a user belongs to the correct AD domain and whether they are a member of the specified AD group. An admin can use this group membership to control who receives a license. In contrast to standard AD licensing, the license manager in Group Flat does not check how many users are in the AD group.