Many administrators face this dilemma: granting RemoteApp access requires adding users to the "Remote Desktop Users" group, but this automatically enables full Remote Desktop Protocol (RDP) connections as well. The TS Web Access Computers group doesn't properly solve this either.
Here's the proper way to implement selective access through Group Policy:
# PowerShell to create restrictive RDP permissions
$computer = "YOURSERVER"
$wmi = Get-WmiObject -Class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName $computer -Filter "TerminalName='RDP-tcp'"
$wmi.SetUserAuthenticationRequired(1)
$wmi.put()
For granular control without full RDP access:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fAllowUnlistedRemotePrograms"=dword:00000000
"RAILaunch"=dword:00000001
Force NLA for additional security while allowing RemoteApp:
# Enable through PowerShell:
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1
For enterprise deployments, consider implementing these RD Gateway authorization policies:
- Create device-based connection authorization policies
- Set up resource authorization policies for specific RemoteApps
- Configure CAP/RAP to only allow published applications
- Always check Event Viewer logs under Applications/Services Logs > Microsoft > Windows > TerminalServices*
- Use
qwinstacommand to verify active sessions - Test with
mstsc /v:yourserver /admin /shadow:1for diagnostics
When implementing RemoteApp in Windows Server environments, administrators frequently encounter a permissions paradox: granting RemoteApp access requires adding users to the "Remote Desktop Users" group, which inadvertently enables full Remote Desktop Protocol (RDP) access. This creates a significant security gap.
The fundamental issue stems from how RemoteApp leverages Terminal Services infrastructure. The system checks group membership in this hierarchy:
1. Initial connection request
→ Checks "Remote Desktop Users" group
→ If denied: Connection terminated
→ If allowed: Proceeds to RemoteApp CAP policy check
The proper configuration requires three registry modifications on your RD Session Host server:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fAllowToGetHelp"=dword:00000000
"fDenyTSConnections"=dword:00000001
"MaxInstanceCount"=dword:00000000
For enterprise deployments, use these GPO settings:
Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections:
- "Allow users to connect remotely using Remote Desktop Services": Disabled
- "Restrict Remote Desktop Services users to a single Remote Desktop Services session": Enabled
After implementation, test with PowerShell:
Test-NetConnection -ComputerName [SERVER] -Port 3389
Get-RDRemoteApp -ConnectionBroker [BROKER] | Where {$_.UserGroups -contains "DOMAIN\RemoteAppUsers"}
For defense-in-depth, combine this with:
- Network Level Authentication (NLA)
- RD Gateway requirements
- Client certificate authentication