Why does PolicyPak licensing ask “Who am I?” and “Where do I want to use it?”

Let’s jump to the end of the story and take a look at what the License Tool generates when you’re making a license request.

There’s always two items: “Scope” and “SOM_name”. There’s always just one scope and there could be several SOM_Names.

“Scope” means: Where you might ever possibly use PolicyPak. Typically, this is (and should be) the whole domain. This doesn’t mean you WILL be using PolicyPak anywhere / everywhere in the whole domain. You select the Scope on this screen as seen here:

“SOM_Name” (Scope of Management): This is the specific places you will be licensing PolicyPak. This is what you’re selecting on this screen as seen here:

So, here’s some examples from some License Request Key files.

Example 1: You are the domain admin and you wish to license the whole domain for PolicyPak.

<scope>DC=fabrikam,DC=com</scope>
<som_name>DC=fabrikam,DC=com</som_name>

  • You can see that the SCOPE is the whole domain (fabrikam.com). This is where we could EVER use PolicyPak.
  • You can see that the SOM is also the whole domain (fabrikam.com). This is where you WILL be licensing PolicyPak.

This means you are the domain admin and you want to license the whole domain. This is the easiest case.

Example 2: You are the domain admin and you wish to license specific OUs for PolicyPak.

<scope>DC=fabrikam,DC=com</scope>
<som_name>OU=Sales,DC=fabrikam,DC=com</som_name>

  • You can see that the SCOPE is the whole domain (fabrikam.com). This is where we could EVER use PolicyPak.
  • You can see that the SOM is one specific OU (which implies all sub-OUs.) This is where you WILL be licensing PolicyPak.

Example 3: You are an OU admin and you wish to license specific OUs for PolicyPak.

<scope>OU=Sales,DC=fabrikam,DC=com</scope>
<som_name>OU=East Sales,OU=Sales,DC=fabrikam,DC=com | OU=West Sales,OU=Sales,DC=fabrikam,DC=com</som_name>

  • You can see that the SCOPE is the SALES OU. This is where we could EVER use PolicyPak.
  • You can see that the SOM is two specific OUs (and their children.) Specifically East Sales OU and West Sales OU. This is where you WILL be licensing PolicyPak.

Okay. So, why do we have Scope and Scope of Management? Because sometimes companies have, say, one domain, with multiple OU administrators – where NEITHER has any overlap of duties and they BOTH want to use PolicyPak (and pay for it separately)

So:

  • Joe is the OU Admin for OU=Machines,OU=WEST,DC=fabrikam,DC=com and
  • Fred is the OU Admin for OU=Machines,OU=EAST,DC=fabrikam,DC=com

In this case NEITHER is the domain admin. They can EACH have their own “Scope” (where they can POSSIBLY use it) and “Scope of Management” where they’ll ACTUALLY use it and not overlap.

When LT goes to install the license you receive from PolicyPak, it will create a new GPO and link it the SCOPE.

Occasionally, we get the question of: “What can I do if I already selected the whole domain (‘I am a domain admin’) in the first screen and I don’t want to link the GPO to the whole domain?” First, here are some facts:

  1. Nothing happens in PolicyPak until the CSE is installed on client systems. Nothing automatically deploys the client side piece. The CSE is an MSI you deploy using – whatever you want (SCCM, hand-install, LanDesk, Group Policy Software Installation — whatever.)
  2. The GPO that LT creates only has PolicyPak Licensing Data. (See picture below.)
  3. Having the license GPO linked won’t “affect” servers or other clients. They’ll GET the data contained within the licensing GPO (which is nothing but licensing data). But then nothing special happens after that – especially since they’re out of Scope of Management.

That being said, there are two ways to proceed if your license file’s SCOPE is the whole domain, but you don’t want to link it over to the whole domain :

Plan A: Go ahead and let the LT create the GPO and link it to the domain.

  • This is recommended in case *LATER* you wish to expand you scope to include FUTURE OUs (which you haven’t selected today but might select in the future.)
  • For instance, today you want to license OU=Desktops,OU=WEST,DC=fabrikam,DC=com but then during the next year (or future years) you want to license OU=Laptops,OU=East,DC=fabrikam,DC=com. We just issue you a new license, and it’s within the same overall “umbrella” scope.
  • Here’s the thing to remember: only computers in OU=Machines,OU=WEST,DC=fabrikam,DC=com are ever going to get licensed (today), because that’s what you’ve selected in step 2 (Scope of Management.)
  • So again, even though the GPO is linked to the domain level, only the computers in the Scope of Management will activate as PAID, because that’s what you paid for.
  • If you think you might EVER want to license computers to use PolicyPak in another OU besides OU=Machines, OU=WEST, DC=fabrikam, DC=com then we recommend you stick with Plan A.

Plan B: Generate another request the LRK using the LT tool and send to your sales person.

  • This time, when you are asked the “Who are you” question, DON’T select the whole domain.
  • Simply pretend you’re the OU admin of OU=Machines,OU=WEST,DC=fabrikam,DC=com. This sets the Scope.
  • Select it AGAIN in the second step. This sets the Scope of Management.
  • Now, your License Request Key will make the SCOPE OU=Machines,OU=WEST,DC=fabrikam,DC=com and the “Scope of Management” the same thing (OU=Machines,OU=WEST,DC=fabrikam,DC=com)
  • We’ll cut you another license key.
  • Next time you go to install the new key, LT will ask you if it can create the GPO and link it over to OU=Machines, OU=WEST, DC=fabrikam, DC=com, because that’s the new Scope. (It also will happen to be the Scope of Management.)
  • Again – this is only recommended if you really never ever plan (ever) to use PolicyPak outside of OU=Machines, OU=WEST, DC=fabrikam, DC=com.

Plan C: Delete the GPO’s link. Then relink the GPO to the OU you want

  • You can, if you like, simply delete the GPO’s link to the domain.
  • Then, re-link the GPO to the places you want to manage / test using PolicyPak.
  • This will work because the SCOPE is (technically) the domain level, and you’re simply linking it (correctly) to places within the SCOPE.

Last thought: Remember that all client computers must have the PolicyPak CSE installed. Without the CSE installed, PolicyPak directives are ignored. So, just because there’s a GPO linked to the domain doesn’t mean that computers will be able to do anything. They have to be “in scope of management” and also have the CSE installed to pick up PolicyPak directives.

Jeremy Moskowitz

Founder & CTO, Microsoft MVP in Group Policy, Enterprise Mobility, and MDM

Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem they couldn’t manage their applications, browsers and operating systems using the technology they already utilized.

Ready to Get Started? Register for Our Demo.

Our PolicyPak Demos explain everything you need to know to get started with the software. Once you've attended the demo, you'll be provided a download link and license key to start a free trial.