Enterprise Mobility and Security Blog


We’re pleased to announce a new feature in Windows Server 2008 R2: RemoteApp User Assignment. The RemoteApp User Assignment feature gives administrators the ability to show a customized list of RemoteApp programs specific to the logged-on user in RD Web Access and RemoteApp and Desktop Connections. This has been one of our most requested features since Terminal Services Web Access (TS Web Access) was released in Windows Server 2008.

Why assign Remote App programs to users?

In Windows Server 2008 TS Web Access, if two users with different application usage patterns log on to the website, they will both see the same list of RemoteApp programs. For example, a user from HR and a developer will see the same set of published applications. They will both have to dig through several published applications to access the ones that are relevant to them.

By using RemoteApp User Assignment, Windows Server 2008 R2 provides a solution to filter the applications based on the logged-on user. By using this new feature, the administrator can easily set up the system so that users will only see the applications they use. In our example scenario, the HR user will only see HR applications, and the developer will only see development applications. This feature makes it easy for users to find and run the applications that are relevant to them.

How it works

The RemoteApp User Assignment feature is implemented by adding an access control list (ACL) to every RemoteApp program. When a user logs on to RD Web Access, the list of applications that are viewable to this user is fetched from the RD Session Host (RDSH) servers. As we can see in the diagram below, when RD Web Access is configured to point directly to one or more RD Session Host servers, RD Web Access directly queries the servers and filters the retrieved list of RemoteApp programs based on the ACLs.


When RD Web Access is configured to point to an RD Connection Broker server, the Connection Broker server queries the RD Session Host servers and filters the list of RemoteApp programs, as shown in the diagram below.


When the RemoteApp program is first published, its default ACL allows all users to see the application. Through UI and Windows PowerShell™, the ACL can be configured to allow only certain domain users or entire domain groups to view the application. See the relevant sections later in this post for detailed configuration steps.


There are a few considerations when setting up this feature that I’d like to mention briefly.

1. The RemoteApp programs can only be assigned to domain users or domain groups, not local users or local security groups. If a user logs on to RD Web Access with a non-domain account, all RemoteApp programs will be displayed, as with Windows Server 2008 TS Web Access.

2. The computer that is actually performing the check of the user’s credentials against the RemoteApp program’s ACL (see the diagrams in the previous section) must be either a member of the domain’s Windows Authorization Access Group, or be joined to a domain running in Windows 2000 compatibility mode.

NOTE: RemoteApp User Assignment is not intended to be a security mechanism; rather it is a discoverability mechanism. There are already ways to secure access to an RD Session Host server, and the RemoteApp User Assignment feature does nothing to change or improve upon them. This feature only helps reduce the number of unnecessary applications that are otherwise displayed to users.

RemoteApp User Assignment using UI

In RemoteApp Manager UI, a new tab, User Assignment, has been added to the RemoteApp Properties dialog box:


As you can see in the screenshot, this new tab allows administrators to specify which domain users and groups can view the RemoteApp program in RD Web Access and the RemoteApp and Desktop Connection feed.

To filter the applications, select the Specified domain users and domain groups option, and then click Add or Remove to modify the list of assigned domain users and groups. The screenshot below captures a configuration where the application is configured to be shown only to the members of the domain group RDVSTRESStestgroup.


RemoteApp User Assignment using the Remote Desktop Services module for Windows PowerShell

The feature can also be managed by using the Remote Desktop Services module for Windows PowerShell:

1. Click Start, click Administrative Tools, and then click Windows PowerShell Modules.

2. To switch to the Remote Desktop Services module for Windows PowerShell, type cd RDS:.


3. Type cd RDS:RemoteAppRemoteAppPrograms and then press ENTER. A dir command at this container lists all the applications that are published.


4. Type cd .<app>UserAssignment and then press ENTER. A dir command at this container lists all the users and groups to whom the application is assigned.


5. To assign the application to a user ‘testdomainuser2’, type New-Item -Path RDS:RemoteAppRemoteAppPrograms<app>UserAssignment -Name user2@testdomain and then press ENTER.


6. To unassign the application to a user ‘testdomainuser2’, type Remove-Item -Path ‘RDS:RemoteAppRemoteAppPrograms<app>UserAssignmentuser2@testdomain’ and then press ENTER.


7. Type dir and then press ENTER to see the user removed from the list of users.