On Mon, 24 Sep 2012 16:19:23 +0000, erolleman wrote: >On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote: >Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are ok. It's easy to overlook something in the ActiveSync policies . . . real easy. One little checkbox (and it's usually one you UNcheck!) and you need Enterprise CALs. --- Rich Matheisen MCSE+I, Exchange MVP >--- Rich Matheisen MCSE+I, Exchange MVP > >Could you, by any chance, think of an option in the ActiveSync policy that requires Enterprise CALs for? The licensing page that A_D_ linked me just says "Exchange ActiveSync Mobile Management Policies: Standard", which doesn't really point out which features in the policy I can use. This one used to be accurate (or pretty accurate): http://gallery.technet.microsoft.com/exchange/acdcb192-f226-4517-b3f9-005dce6f4fc3 The relevant portion of the script would be this check against assigned A/S policies on mailboxes: if (($ASPolicy.AllowDesktopSync -eq $False) -or ($ASPolicy.AllowStorageCard -eq $False) -or ($ASPolicy.AllowCamera -eq $False) -or ($ASPolicy.AllowTextMessaging -eq $False) -or ($ASPolicy.AllowWiFi -eq $False) -or ($ASPolicy.AllowBluetooth -ne "Allow") -or ($ASPolicy.AllowIrDA -eq $False) -or ($ASPolicy.AllowInternetSharing -eq $False) -or ($ASPolicy.AllowRemoteDesktop -eq $False) -or ($ASPolicy.AllowPOPIMAPEmail -eq $False) -or ($ASPolicy.AllowConsumerEmail -eq $False) -or ($ASPolicy.AllowBrowser -eq $False) -or ($ASPolicy.AllowUnsignedApplications -eq $False) -or ($ASPolicy.AllowUnsignedInstallationPackages -eq $False) -or ($ASPolicy.ApprovedApplicationList -ne $null) -or ($ASPolicy.UnapprovedInROMApplicationList -ne $null)) { $Script:AdvancedActiveSyncUserCount++ $Script:EnterpriseCALMailboxIDs[$Mailbox.Identity] = $null > > > >I also couldn't really find any place where journaling is turned on, so as far as I can tell it isn't. I will look for a PowerShell script to check if any mailboxes or distribution groups have it turned on. > > > >Thanks. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi erolleman, Yes, this is built-in Role Group and Management Role. Actually, there shoule be another Identity: Mailbox Search-Organization Management-Delegating If there is no any other output, it means nobody can do multi-mailbox search. For your scenario, please check it again on October 1 as the Team blog said. By the way, the report is for informational purposes only and is estimated. If you meet the Exchange licensing requirement, you can ingore the report.Frank Wang TechNet Community Support

On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote: >Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are ok. It's easy to overlook something in the ActiveSync policies . . . real easy. One little checkbox (and it's usually one you UNcheck!) and you need Enterprise CALs. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP Could you, by any chance, think of an option in the ActiveSync policy that requires Enterprise CALs for? The licensing page that A_D_ linked me just says "Exchange ActiveSync Mobile Management Policies: Standard", which doesn't really point out which features in the policy I can use. I also couldn't really find any place where journaling is turned on, so as far as I can tell it isn't. I will look for a PowerShell script to check if any mailboxes or distribution groups have it turned on. Thanks.

As best as I can tell we aren't using those features yet Exchange server indicates we need Standard and Enterprise CALs... Should I just assume that I'm not in license violation even though the server reports that I need Enterprise CALs?

Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are ok.

Thank you for the assistance so far Frank.Wang . Below you will find the output of the command. I am pretty sure it is indicating that members of the Active Directory group "Discovery Management" have the role assigned and in a previous post I show that no users are a member of that group. Output: RunspaceId : a2d7727f-e121-4da3-9253-310cad6bfbf6 User : **domain**/Microsoft Exchange Security Groups/Discovery Management AssignmentMethod : Direct Identity : Mailbox Search-Discovery Management EffectiveUserName : All Group Members AssignmentChain : RoleAssigneeType : RoleGroup RoleAssignee : **domain**/Microsoft Exchange Security Groups/Discovery Management Role : Mailbox Search RoleAssignmentDelegationType : Regular CustomRecipientWriteScope : CustomConfigWriteScope : RecipientReadScope : Organization ConfigReadScope : None RecipientWriteScope : Organization ConfigWriteScope : None Enabled : True RoleAssigneeName : Discovery Management IsValid : True ExchangeVersion : 0.11 (14.0.550.0) Name : Mailbox Search-Discovery Management DistinguishedName : CN=Mailbox Search-Discovery Management,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,**domain** Guid : f3215fb7-bc03-4765-b68b-cdbe937039c1 ObjectCategory : **domain**/Configuration/Schema/ms-Exch-Role-Assignment ObjectClass : {top, msExchRoleAssignment} WhenChanged : 6/27/2012 7:36:45 PM WhenCreated : 10/21/2010 7:19:48 PM WhenChangedUTC : 6/28/2012 2:36:45 AM WhenCreatedUTC : 10/22/2010 2:19:48 AM OrganizationId : OriginatingServer : **PDC**

On Mon, 24 Sep 2012 16:19:23 +0000, erolleman wrote: >On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote: >Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are ok. It's easy to overlook something in the ActiveSync policies . . . real easy. One little checkbox (and it's usually one you UNcheck!) and you need Enterprise CALs. --- Rich Matheisen MCSE+I, Exchange MVP >--- Rich Matheisen MCSE+I, Exchange MVP > >Could you, by any chance, think of an option in the ActiveSync policy that requires Enterprise CALs for? The licensing page that A_D_ linked me just says "Exchange ActiveSync Mobile Management Policies: Standard", which doesn't really point out which features in the policy I can use. This one used to be accurate (or pretty accurate): http://gallery.technet.microsoft.com/exchange/acdcb192-f226-4517-b3f9-005dce6f4fc3 The relevant portion of the script would be this check against assigned A/S policies on mailboxes: if (($ASPolicy.AllowDesktopSync -eq $False) -or ($ASPolicy.AllowStorageCard -eq $False) -or ($ASPolicy.AllowCamera -eq $False) -or ($ASPolicy.AllowTextMessaging -eq $False) -or ($ASPolicy.AllowWiFi -eq $False) -or ($ASPolicy.AllowBluetooth -ne "Allow") -or ($ASPolicy.AllowIrDA -eq $False) -or ($ASPolicy.AllowInternetSharing -eq $False) -or ($ASPolicy.AllowRemoteDesktop -eq $False) -or ($ASPolicy.AllowPOPIMAPEmail -eq $False) -or ($ASPolicy.AllowConsumerEmail -eq $False) -or ($ASPolicy.AllowBrowser -eq $False) -or ($ASPolicy.AllowUnsignedApplications -eq $False) -or ($ASPolicy.AllowUnsignedInstallationPackages -eq $False) -or ($ASPolicy.ApprovedApplicationList -ne $null) -or ($ASPolicy.UnapprovedInROMApplicationList -ne $null)) { $Script:AdvancedActiveSyncUserCount++ $Script:EnterpriseCALMailboxIDs[$Mailbox.Identity] = $null > > > >I also couldn't really find any place where journaling is turned on, so as far as I can tell it isn't. I will look for a PowerShell script to check if any mailboxes or distribution groups have it turned on. > > > >Thanks. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote: >Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are ok. It's easy to overlook something in the ActiveSync policies . . . real easy. One little checkbox (and it's usually one you UNcheck!) and you need Enterprise CALs. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote: >Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are ok. It's easy to overlook something in the ActiveSync policies . . . real easy. One little checkbox (and it's usually one you UNcheck!) and you need Enterprise CALs. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP tru dat!

On Mon, 24 Sep 2012 16:19:23 +0000, erolleman wrote: >On Fri, 21 Sep 2012 15:03:25 +0000, A_D_ wrote: >Yes. If you are using that Organizational Health check and it says you need Enterprise CALs, its been known to be wrong. As long as you are doing your due diligence to make sure you aren't, then you are ok. It's easy to overlook something in the ActiveSync policies . . . real easy. One little checkbox (and it's usually one you UNcheck!) and you need Enterprise CALs. --- Rich Matheisen MCSE+I, Exchange MVP >--- Rich Matheisen MCSE+I, Exchange MVP > >Could you, by any chance, think of an option in the ActiveSync policy that requires Enterprise CALs for? The licensing page that A_D_ linked me just says "Exchange ActiveSync Mobile Management Policies: Standard", which doesn't really point out which features in the policy I can use. This one used to be accurate (or pretty accurate): http://gallery.technet.microsoft.com/exchange/acdcb192-f226-4517-b3f9-005dce6f4fc3 The relevant portion of the script would be this check against assigned A/S policies on mailboxes: if (($ASPolicy.AllowDesktopSync -eq $False) -or ($ASPolicy.AllowStorageCard -eq $False) -or ($ASPolicy.AllowCamera -eq $False) -or ($ASPolicy.AllowTextMessaging -eq $False) -or ($ASPolicy.AllowWiFi -eq $False) -or ($ASPolicy.AllowBluetooth -ne "Allow") -or ($ASPolicy.AllowIrDA -eq $False) -or ($ASPolicy.AllowInternetSharing -eq $False) -or ($ASPolicy.AllowRemoteDesktop -eq $False) -or ($ASPolicy.AllowPOPIMAPEmail -eq $False) -or ($ASPolicy.AllowConsumerEmail -eq $False) -or ($ASPolicy.AllowBrowser -eq $False) -or ($ASPolicy.AllowUnsignedApplications -eq $False) -or ($ASPolicy.AllowUnsignedInstallationPackages -eq $False) -or ($ASPolicy.ApprovedApplicationList -ne $null) -or ($ASPolicy.UnapprovedInROMApplicationList -ne $null)) { $Script:AdvancedActiveSyncUserCount++ $Script:EnterpriseCALMailboxIDs[$Mailbox.Identity] = $null > > > >I also couldn't really find any place where journaling is turned on, so as far as I can tell it isn't. I will look for a PowerShell script to check if any mailboxes or distribution groups have it turned on. > > > >Thanks. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP Thanks for finding the script for me. This is the report: Total Standard CALs calculated: 52 Advanced Anti-spam Enabled: False Info Leakage Protection Enabled: False Unified Messaging Users calculated: 0 Managed Custom Folder Users calculated: 0 Advanced ActiveSync Policy Users calculated: 0 Archived Mailbox Users calculated: 0 Retention Policy Users calculated: 2 Searchable Users calculated: 52 Journaling Users calculated: 0 Total Enterprise CALs calculated: 52 ========================= Exchange CAL Usage Report ========================= Total Users: 52 Total Standard CALs: 52 Total Enterprise CALs: 52 It appears that I have some "Searchable Users" enabled. Doesn't that have something to do with the Multi-User search and the discovery mailbox? Any idea on how I would remove those users from that count?

I'm pretty sure those are the people assigned the "Discovery Management" RBAC role. That role allows the application of "Legal Hold". --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP I thought that might be that case too, but I checked and there are no users assigned that role.

I've never used Multi-Mailbox search, but I am quite new here and a previous administrator may have. No users have the Discovery Search assigned to them and therefore cannot do it. That is what I was attempting to show in my last post. Are the Multi-Mailbox Search and the Discovery Search Role not related?

Retention Policy Users calculated: 2 Searchable Users calculated: 52 Total Enterprise CALs calculated: 52 ========================= It appears that I have some "Searchable Users" enabled. Doesn't that have something to do with the Multi-User search and the discovery mailbox? Hi erolleman, Do you use Multi-Mailbox Search? Multi-Mailbox Search required an Enterprise CAL for each mailbox searche until October 1. For more information, please see: Announcing a licensing change for Multi-Mailbox Search http://blogs.technet.com/b/exchange/archive/2012/07/13/announcing-a-licensing-change-for-multi-mailbox-search.aspxFrank Wang TechNet Community Support

How do I stop the Exchange server from requiring Enterprise CALs? Features were enabled that shouldn't have been. I ensured that all mailboxes no longer have archiving enabled. I did notice that there is a "Discovery Search Mailbox" under recipient configuration. Can I just delete this mailbox without breaking anything to remove this enterprise feature? Are there any other things I can do to make sure I don't require Enterprise CALs and are therefore out of compliance? Thanks for any and all help.

Hi erolleman, Yes, this is built-in Role Group and Management Role. Actually, there shoule be another Identity: Mailbox Search-Organization Management-Delegating If there is no any other output, it means nobody can do multi-mailbox search. For your scenario, please check it again on October 1 as the Team blog said. By the way, the report is for informational purposes only and is estimated. If you meet the Exchange licensing requirement, you can ingore the report.Frank Wang TechNet Community Support

On Mon, 24 Sep 2012 23:56:39 +0000, erolleman wrote: [ snip ] >Thanks for finding the script for me. This is the report: > >Total Standard CALs calculated: 52 Advanced Anti-spam Enabled: False Info Leakage Protection Enabled: False Unified Messaging Users calculated: 0 Managed Custom Folder Users calculated: 0 Advanced ActiveSync Policy Users calculated: 0 Archived Mailbox Users calculated: 0 Retention Policy Users calculated: 2 Searchable Users calculated: 52 Journaling Users calculated: 0 Total Enterprise CALs calculated: 52 > >========================= Exchange CAL Usage Report ========================= > >Total Users: 52 Total Standard CALs: 52 Total Enterprise CALs: 52 > > > >It appears that I have some "Searchable Users" enabled. Doesn't that have something to do with the Multi-User search and the discovery mailbox? Any idea on how I would remove those users from that count? I'm pretty sure those are the people assigned the "Discovery Management" RBAC role. That role allows the application of "Legal Hold". --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

No, do not delete that mailbox. Exchange Server Licensing Just look at the chart near the bottom under Enterprise CALs and ensure you arent using any of these features and you will be fine.

Hi erolleman, Did you use Multi-Mailbox search in ECP or New-MailboxSearch cmdlet ago? If yes, this is the case. Understanding Multi-Mailbox Search http://technet.microsoft.com/en-us/library/dd335072.aspx Please see my last reply.Frank Wang TechNet Community Support

No users have the Discovery Search assigned to them and therefore cannot do it.Are the Multi-Mailbox Search and the Discovery Search Role not related? Hi erollenman, Yes, there are releated. If admin is a member of Discovery Search Role Group, he can do the task. However, please also run the following cmdlet to check whether admin is assigned the permission to run the mailbox search directly. Get-ManagementRoleAssignment -Role "mailbox search" Frank Wang TechNet Community Support