1

I'd like to set up Active Directory based activation on our domain. In our environment we have a need to use MAK keys on some machines that may not see the AD server for a year or more. Thus, we'd like to restrict the AD activation to certain OU's, or provide a list of OU's to exclude from AD Activation.
I can't seem to find any tools to tweak how AD Activation works. Do they exist? Is there any way to implement this kind of restriction?

echeveste
  • 11
  • 1
  • 2
    What are you trying to do exactly? If you activate a computer with an MAK key it isn’t going to contact a KMS server. In any case though, you should question if it is good practice to leave a domain joined computer disconnected from AD for over a year. – Appleoddity Nov 14 '18 at 23:53
  • We are just trying to use both MAK keys and AD activation in the same domain. We have some laptops that take extended leaves of absence in the field, and may not connect to any network during that time. However, we still want GPOs and security groups to apply to them. We don't care if they don't get any updates during that time, but certainly don't want them to deactivate. We also have some BYOD devices that get domain joined, and don't want to activate them. – echeveste Nov 14 '18 at 23:57
  • How do you imagine that Group Policy will be applied and security group membership will be maintained/updated if the machines don't connect to the domain for long periods of time? Why not use your MAK keys for these disconnected devices and use KMS for the devices that are permanently connected to the domain network? Why not use DirectAccess or Always On VPN for these remote devices? - https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy - https://docs.microsoft.com/en-us/windows-server/remote/remote-access/directaccess/directaccess – joeqwerty Nov 15 '18 at 00:04
  • You are right - I don't expect GP to be updated to the offline machines. I also don't expect them to be activated - the offline machines will use MAK, and I want to make sure that when they initially join the domain they don't use AD activation. I just want to use AD Activation for our standard machines that stay connected constantly. And when I say offline, I mean truly offline - no internet access at all, so a VPN wouldn't help. – echeveste Nov 15 '18 at 15:44
  • ` I want to make sure that when they initially join the domain they don't use AD activation`. A computer with a MAK key activates by connecting to a Microsoft server, not AD. Only computers that have a GVLK key will attempt AD activation. – Greg Askew Nov 18 '18 at 18:52

0 Answers0