Licensing is a pain. Not so much for the sake of cost, but more for the sake of never quite knowing that you’re compliant.
I was considering a case today. What if one of my customers wants to grant administrative access to a vendor to one of their servers for the purposes of setting up and administering an on-premise application?
My first instinct was yes – they do. After all, they are a user that needs to log in. But then I thought a bit more about it. CALs are after all assigned to physical persons or devices, I can’t just go say “I hereby assign this CAL to Vendor X’s support team”, because that’s not a physical person. Would I have to ask for specific names of the vendor’s technicians for the purposes of license assignment? And how would this be enforced? Maybe just creating a few named users and then just disclaiming knowledge of whether they share their personal accounts, making it their problem? No. There had to be some kind of exception.
So I go out on the Internet, and I found this slightly helpful but mostly unhelpful post from the Microsoft Volume Licensing Blog. As witnessed by the comments, the blog entry raises more questions than it answers. It’s not really the fault of the blog, licensing is hard, really for no good reason other than to make work for licensing lawyers.
This is what they write:
7 – Do I need CALs for my administrators?
Server software licensed using CALs permits up to 2 users or devices to access the server software for the purposes of administration without CALs. However, if your administrators also use the software for anything other than administration (for example, they check their email), CALs will be required for them as well.
You could be forgiven to still fret and say “Oh, okay, so if my vendor has 10 employees I only need 8 CALs” and open your pocketbook and still have the administrative nightmare about having to know about who they employ and manage CAL assignment, adding the two “free” CALs to your pool of CALs.
But that’s actually not the case. If you read what Microsoft said, they specifically say “Server software licensed using CALs permits up to 2 users or devices to access the server software for the purposes of administration without CALs.” (emphasis mine).
Why is this important? Well, because the rules regarding CAL assignments do not come into play! The only way I could reasonably interpret this would be “permits up to 2 users or devices at the same time“. After all, there is no permanent assignment of CALs going on.
The relevant language from Microsoft’s Product Terms does not contradict this interpretation:
16. Administrative and Support Rights
Customer may allow access to server software running in any permitted OSE by two users without CALs solely for administrative purposes. Customer may also allow remote access to other Products solely for purposes of providing technical product support to Licensed Users or on Licensed Devices.
So, my conclusion is, I’m okay. We don’t need to assign CALs ever to users who only work as admins on the server, as long as no more than two of them are ever working on the same time on any given server.
Now, I’d like to point out for the record. I’m not a lawyer, I’m not a licensing expert. I don’t work for a licensing company.
This is not licensing advice. This is just my opinion about how I interpret the licensing rules. After all, I’m just a sysadmin annoyed with the various “pain in the nets” and blogging about it.
And I find that this obfuscated interpretation lines up with common sense. So that’s the interpretation I’m going with.
I second your opinion. There are no two free CALs given to two of your users, so there is no restriction in reassigning them, so the two user who are allowed to access a server for administrative purposes without CALs can change anytime as long as there are no more than two users administering the server at the same time.
But…
This Microsoft Volume Licensing blog post states otherwise in the Q&A section:
https://blogs.technet.microsoft.com/volume-licensing/2014/03/10/licensing-how-to-when-do-i-need-a-client-access-license-cal/
Q4 – If I manage another companies servers as their help desk…and employ more than 3 people…and I already have CALs for my people, do I need additional CALs to administer their network?
A4 – CALs (for Windows Server, Windows Server RDS, Exchange Server, SharePoint, SQL, Lync, etc.) can be used only to access organization owned servers. Your CALs cannot be used to access servers operated by an independent organization (see #6 in the blog above). That being said, their licensed servers will provide the ability for 2 users/devices to access the servers for purposes of administration. For any number of users/devices employed to manage their servers in excess of 2, additional CALs will be required. For example, if 10 people, using 10 different devices are employed to manage their servers – a total of 8 additional user or device CALs will be required. The organization whose servers are being accessed will be required to purchase these CALs however. It is worth pointing out, that certain products – such as Exchange Server 2013, SharePoint Server 2013, and Lync Server 2013 (as well as to some extent, CRM Server 2013) do not require CALs for external user (non-employee) access (administrative access or otherwise). In this example, you are being hired by a third party to provide help desk support OFFSITE and would be considered an external user (see #3 in the blog above). If for example, you have 10 users/devices employed to administer a third parties servers – the company may be required to purchase additional CALs for products such as Windows Server, and/or (unless licensed by processor or core). However, because you can leverage the external user CAL exception for Exchange Server 2013, Lync 2013, or SharePoint 2013 – additional CALs for these products would not be required in this scenario. Note the external user CAL exception for the products mentioned above apply only to the current versions and not prior versions. External users must be offsite.
My humble opinion is that the answer given above does not contradict what I wrote in the post. If you have 10 people employed specifically to manage a customer’s servers, obviously they’ll have to work at the same time. But it’s a difference if you have 10 people employed for that purpose, as opposed to 10 people in a pool who may potentially and occasionally work on a customer’s server.