Frequently Asked Question

Remove user CAL from RDSH
Last Updated 3 hours ago

On Windows Server 2025, a Per User RDS CAL is not normally “removed” from the RD Session Host itself. In most environments, the practical process is:

  1. Stop the user being able to sign in to RDS
  2. Clear the RDS per-user licence tracking data from Active Directory if required for reporting

This is different from Per Device licensing, where a device token can be revoked in the licensing console.

Key point

  • Per User RDS CALs are primarily an administrative/compliance assignment, not a hard device-style token that is revoked from the Session Host.
  • In an Active Directory environment, the licence server may write RDS licensing attributes to the user object.
  • Clearing those attributes removes the tracked assignment for that user, but it does not “return” a licence key to Microsoft or change the installed licence pack on the licence server.

1. Remove the user’s ability to use RDS

Before clearing any licence tracking, remove access so the user cannot reconnect and consume a new assignment.

Common actions:

  • Remove the user from any AD group used to permit Remote Desktop access
  • Remove the user from the local or domain Remote Desktop Users group if that is how access is granted
  • Remove the user from any RDS collection security group
  • Disable the AD account if the user has left the business
  • Apply a logon restriction or deny sign-in via Group Policy if appropriate

2. Clear the Per User RDS CAL tracking from Active Directory

Option A: Using Active Directory Users and Computers

  1. Open Active Directory Users and Computers
  2. In the menu, enable ViewAdvanced Features
  3. Find the user account
  4. Open the user’s Properties
  5. Open the Attribute Editor tab
  6. Clear the following attributes if they exist:
  • msTSManagingLS
  • msTSLicenseVersion
  • msTSLicenseVersion2
  • msTSExpireDate
  • msTSExpireDate2
  1. Click OK
  2. Allow Active Directory replication to complete

These attributes are the usual Per User RDS licensing markers written to the AD user object.

Option B: Using ADSI Edit

Use this method if the Attribute Editor tab is not available.

  1. Open ADSI Edit
  2. Connect to the Default naming context
  3. Browse to the user object
  4. Open Properties
  5. Find and clear these attributes where present:
  • msTSManagingLS
  • msTSLicenseVersion
  • msTSLicenseVersion2
  • msTSExpireDate
  • msTSExpireDate2
  1. Save the changes
  2. Wait for AD replication

3. PowerShell method

For administrators who prefer PowerShell, the same attributes can be reviewed and cleared with the Active Directory module.

Check the current RDS licensing attributes

Get-ADUser username -Properties msTSManagingLS,msTSLicenseVersion,msTSLicenseVersion2,msTSExpireDate,msTSExpireDate2 |
Select-Object Name,msTSManagingLS,msTSLicenseVersion,msTSLicenseVersion2,msTSExpireDate,msTSExpireDate2

Clear the attributes

Set-ADUser username -Clear msTSManagingLS,msTSLicenseVersion,msTSLicenseVersion2,msTSExpireDate,msTSExpireDate2

Replace username with the relevant AD logon name.

4. Confirm the change

After replication has completed:

  • Open Remote Desktop Licensing Manager
  • Review the Per User CAL reports
  • Confirm the user no longer appears as assigned, or wait for the report data to refresh

If the old assignment still appears immediately, this is usually due to:

  • AD replication delay
  • Cached reporting data on the licence server
  • The user having logged in again after the attributes were cleared

If the environment is actually using Per Device CALs

If the licence mode is Per Device, use the licensing console rather than editing AD attributes.

  1. Open Remote Desktop Licensing Manager
  2. Expand the licence server
  3. Open the issued device licences
  4. Right-click the device
  5. Choose Revoke

This option is for device licences only. It is not the normal method for Per User CALs.

Important notes

  • Clearing AD attributes is the usual way to remove the tracked Per User CAL assignment.
  • This does not uninstall the RDS CAL pack from the licence server.
  • This does not reduce the number of installed licences shown on the licence server.
  • For Per User licensing, Microsoft still expects the organisation to remain correctly licensed for the number of users entitled to use RDS.
  • The RD Licensing Server must have had permission to write those attributes originally; if it did not, Per User tracking may be incomplete.

Recommended practice for leavers

For staff who have left the organisation, the usual clean-up process is:

  1. Remove RDS access groups
  2. Disable or archive the AD account
  3. Clear the msTS* RDS licensing attributes from the user object
  4. Verify the user no longer appears in Per User CAL reporting

This is the standard way to “de-license” a user in an Active Directory-based Per User RDS CAL deployment on Windows Server 2025.

This FAQ was generated and/or edited by GAIN, GENs Artificial Intelligence Network and should not be considered 100% accurate. Always check facts and do your research, things change all the time. If you are unsure about any information provided, please raise a support ticket for clarification.
This website relies on temporary cookies to function, but no personal data is ever stored in the cookies.
OK
Powered by GEN UK CLEAN GREEN ENERGY

Loading ...