Manage AD Bridge Licenses
There are two options to manage the assignment of AD Bridge licenses:
- Globally using the License Management page in the BeyondTrust Management Console on a Windows administrative workstation connected to Microsoft Active Directory.
We recommend that you manage your licenses through the BeyondTrust Management Console.
- Locally using an AD Bridge command-line utility (setkey-cli) on a Unix or Linux computer.
Evaluation Licenses and Permanent Licenses
When you install the AD Bridge agent without a permanent license on a Unix or Linux computer, a 90-day product evaluation key is automatically generated. If a permanent license key or an extended evaluation license key is unavailable, AD Bridge will stop authenticating users and applying Group Policy settings after 90 days. The expiration date of an evaluation license applies only to the computer on which the license is installed.
To obtain a permanent license or to convert a trial license to a full license, contact a BeyondTrust sales representative at www.beyondtrust.com/contact.
You can upgrade an evaluation license to a permanent license by importing the permanent license key into the BeyondTrust Management Console, and applying it to a client computer. If the automatic assignment feature is in use, the AD Bridge agent will automatically apply a permanent license when you log on a client with an AD account, restart the AD Bridge authentication service, or run the command-line utility for managing licenses.
BeyondTrust offers single-computer licenses for each of its agents.
If there are multiple domains, a different license file is required for each domain. To spread a set of single-computer licenses across two or more domains, you can request BeyondTrust sales to distribute the licenses in two or more license files.
The number of concurrent logins is unlimited.
AD Bridge supports parent-level licensing, a feature where AD Bridge agents running in child domains can obtain license keys from a license container in the root of the domain. This simplifies license management by eliminating the need for license containers in child domains. License containers in child domains are still supported and are useful in restricting the number of license keys issued to agents joined to that domain.
AD Bridge agents obtain license keys by first looking for a license container in the organizational unit (OU) the computer is joined to:
- If it obtains a license from that container, it assigns it to the agent machine. If the agent does not obtain a license, an evaluation license is issued.
- If it does not find a license container, it will start going up through the AD tree, repeating the process until it reaches the root of the domain. If no license containers are found in the domain the agent is joined to, it then looks in the root of the parent domain for a license container. Once a license container is found, whether a license key is obtained from it or not, the agent does not look for further license containers.
For child domains to acquire and delete licenses that are applied to the agent machines, you must add Permissions to licenses in the root of the domain's license container.
- At the root of the domain, right-click the License object within the License Container.
- Add the child/domain computers account and allow Create all child objects and Delete all child objects. This allows the child domain computers group to acquire and delete licenses from the parent domain.
When you leave the domain using --deleteAccount, the credentials used to leave that domain must also be added to each of the license objects so that the license can be freed.
License Feature Codes
Licenses contain codes that can include or exclude features. When a license is displayed in the console, the codes in the Features column indicate the entitlements that the license covers.
The following table describes each feature code:
|SC||Covers the use of two-factor authentication with a smart card|
|GP||Covers the application of GPOs|
|AU||Covers the auditing and reporting components|
|AD||Covers the use of the AD Bridge management tools for Active Directory|