Manage AD Bridge Licenses

There are two options to manage the assignment of AD Bridge licenses:

License Management page in BeyondTrust Management Console.

  • Globally using the License Management page in the BeyondTrust Management Console on a Windows administrative workstation connected to Microsoft Active Directory.
  • We recommend that you manage your licenses through the BeyondTrust Management Console.


setkey-cli comand-line utility

  • Locally using an AD Bridge command-line utility (setkey-cli) on a Unix or Linux computer.


License Types

Evaluation Licenses and Permanent Licenses

When you install the AD Bridge agent without a permanent license on a Unix or Linux computer, a 90-day product evaluation key is automatically generated. If a permanent license key or an extended evaluation license key is unavailable, AD Bridge will stop authenticating users and applying Group Policy settings after 90 days. The expiration date of an evaluation license applies only to the computer on which the license is installed.

To obtain a permanent license or to convert a trial license to a full license, contact a BeyondTrust sales representative at

You can upgrade an evaluation license to a permanent license by importing the permanent license key into the BeyondTrust Management Console, and applying it to a client computer. If the automatic assignment feature is in use, the AD Bridge agent will automatically apply a permanent license when you log on a client with an AD account, restart the AD Bridge authentication service, or run the command-line utility for managing licenses.

Single-Computer Licenses

BeyondTrust offers single-computer licenses for each of its agents.

If there are multiple domains, a different license file is required for each domain. To spread a set of single-computer licenses across two or more domains, you can request BeyondTrust sales to distribute the licenses in two or more license files.

The number of concurrent logins is unlimited.

Parent-Level Licensing

AD Bridge supports parent-level licensing, a feature where AD Bridge agents running in child domains can obtain license keys from a license container in the root of the domain. This simplifies license management by eliminating the need for license containers in child domains. License containers in child domains are still supported and are useful in restricting the number of license keys issued to agents joined to that domain.

AD Bridge agents obtain license keys by first looking for a license container in the organizational unit (OU) the computer is joined to:

  • If it obtains a license from that container, it assigns it to the agent machine. If the agent does not obtain a license, an evaluation license is issued.
  • If it does not find a license container, it will start going up through the AD tree, repeating the process until it reaches the root of the domain. If no license containers are found in the domain the agent is joined to, it then looks in the root of the parent domain for a license container. Once a license container is found, whether a license key is obtained from it or not, the agent does not look for further license containers.

For child domains to acquire and delete licenses that are applied to the agent machines, you must add Permissions to licenses in the root of the domain's license container.

  1. At the root of the domain, right-click the License object within the License Container.
  2. Add the child/domain computers account and allow Create all child objects and Delete all child objects. This allows the child domain computers group to acquire and delete licenses from the parent domain.

When you leave the domain using --deleteAccount, the credentials used to leave that domain must also be added to each of the license objects so that the license can be freed.

License Feature Codes

An image of license feature codes in the Feature column.

Licenses contain codes that can include or exclude features. When a license is displayed in the console, the codes in the Features column indicate the entitlements that the license covers.


The following table describes each feature code:

Feature Code Description
SC Covers the use of two-factor authentication with a smart card
GP Covers the application of GPOs
AU Covers the auditing and reporting components
AD Covers the use of the AD Bridge management tools for Active Directory