Voted Best Answer
Jan 04, 2016 - 09:50 AM
(1) being granted access to run software e.g. CALs, RDS or Citrix
(2) Actually installed Software i.e donwload & install
Your best defense in a vendor audit is Security Groups. If you can demonstrate that the AD Users is not a member of a Group with access to a particular server or application you have a strong defence. Coversely, if you have poorly defined groups you are open to their interpretation of the auditor.
A variation of this not specifically related to AD is Site Collections for Sharepoint or OWA or ActiveSync being enabled inside Exchange
**Actually Installed Software**
AD will be used to identify active devices which will be scanned for installed software. If it's active in AD and s/w installed then a license is required. To deal with this situation restrict the days an auditor gets data for to no more than 45 days and ensure you have applied downgrade rights where multiple versions are installed to avoid over statements. It is also worth running a check for high value s/w that might be unused every 6-12 months.