You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/windows-server/remote/system-cannot-determine-license-server-member-tsls.md
+7-6Lines changed: 7 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,36 +44,37 @@ Review the members of the **Terminal Server License Servers** group by using the
44
44
45
45
If you have confirmed that the connectivity is well established with a domain controller in your network, and the issue still persists, you might have security restrictions enforced on your domain controller. These restrictions control which users can enumerate users and groups in Active Directory (AD).
46
46
47
-
In this case, you're encountering security restrictions that were introduced in Windows Server 2016 and subsequently added to all other Windows operating systems through an update. These restrictions limit the client's ability to make remote SAM calls to the local SAM database and Active Directory.
47
+
In this case, you're encountering security restrictions that were introduced in Windows Server 2016 and later added to all other Windows operating systems through an update. These restrictions limit the client's ability to make remote SAM calls to the local SAM database and Active Directory.
48
48
49
-
For more information about this security settings, see the [Network access: Restrict clients allowed to make remote calls to SAM](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls) security policy setting.
49
+
For more information about this security setting, see the [Network access: Restrict clients allowed to make remote calls to SAM](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls) security policy setting.
50
50
51
51
This policy, when enabled, affects the license server verification of its membership in the TSLS domain group, if the license server isn't part of the allowed users to make remote calls to AD.
52
52
53
53
By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting isn't defined. If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to SAM.
54
54
55
55
If the policy setting is left blank after being defined, the policy isn't enforced.
56
56
57
-
To verify if you're encountering these restrictions, check one of the following:
57
+
To verify if you're encountering these restrictions, check one of the following points:
58
58
59
59
- On the logon domain controller (DC) for the Remote Desktop License Server, check if the following registry key is present:
If this key is present, this means the DC is configured with the SAM restrictions policy.
63
+
If this key is present, which means the DC is configured with the SAM restrictions policy.
64
+
64
65
- Check if the following Group Policy Object is present and applied on the DC:
65
66
66
67
**Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Network access: Restrict clients allowed to make remote calls to SAM**
67
68
68
69
> [!NOTE]
69
-
> This behavior is expected when restricting SAM calls to the DC. However, it has no impact on the RDS Licensing functionality in terms of issuing client access licenses (CALs) and maintaining connectivity with its peers in the RDS farm.
70
+
> This behavior is expected when restricting SAM calls to the DC. However, it has no effect on the RDS Licensing functionality in terms of issuing client access licenses (CALs) and maintaining connectivity with its peers in the RDS farm.
70
71
71
72
To verify if the Remote Desktop license server is affected by this policy, see [related events](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#related-events) on the domain controller.
72
73
73
74
To allow the Remote Desktop license server to make remote SAM calls to Active Directory, use Group Policy to add the Remote Desktop license server computer account to the list of allowed accounts under this policy: **Network access: Restrict clients allowed to make remote calls to SAM**.
74
75
75
76
> [!NOTE]
76
-
> Restarts aren't required to enable, disable or modify the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting, including audit only mode. Changes become effective without a device restart when they're saved locally or distributed through Group Policy.
77
+
> Restarts aren't required to enable, disable, or modify the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting, including audit only mode. Changes become effective without a device restart when they're saved locally or distributed through Group Policy.
0 commit comments