Verify Specops Password Policy License Usage (7.5 and earlier)
Both affected (perpetual) and subscription licenses use the same model to count licenses — the count is based on the number of enabled Active Directory user accounts that have a Specops Password Policy GPO applied to them in Active Directory.
Specops Password Policy regularly updates a record of how many licenses have been consumed. The license check is part of a daily user counting process performed by the Password Policy Sentinel installed on the domain controller holding the PDC Emulator Role. The current license consumption details will be logged in Event ID 107 in the Windows Application event log.
Adjusting License Consumption
If license counts are higher than expected, you may need to adjust the scope of your Password Policy GPOs to exclude some user accounts in order to reclaim licenses for those users. Begin by checking which GPOs in your domain contain Password Policy settings. On a system with the Password Policy Admin Tools installed, launch Password Policy Domain Administration from the start menu and got to the Password Policies section. GPOs containing Specops Password Policy settings will be listed in the Group Policies section on the right.
To determine how each Specops Password Policy GPO is applied we must check in Group Policy Management Console MMC. Check the locations where the GPO is linked and whether any Security Filtering has been applied.
In order to reduce license consumption any of the following changes can be made:
- Link the GPO on different sub-OUs and disable/delete the current links
- Change the Security Filtering to limit the GPO’s scope to a security group
- Deny applying the GPO to a security group via advanced delegation on the GPO
Once changes are made, the user counting data in Password Policy will not update until the next daily user count or you can also force a re-count of the users by referencing the following article. If you would like to see results immediately you can also count consumed licenses manually by using the Active Directory and Password Policy PowerShell modules. Password Policy version 7.2 or later is required for these commands:
Get-ADUser -filter { enabled -eq $true } | % { Get-PasswordPolicyAffectingUser $_ } | Measure-ObjectAdd a searchBase parameter and specify the distinguishedName of an OU to count license only for users under that specific OU:
Get-ADUser -SearchBase "OU=Users,DC=domain,DC=com" -filter { enabled -eq $true } | % { Get-PasswordPolicyAffectingUser $_ } | Measure-Object