We’re pleased to announce a new feature in Windows Server 2008 R2: RemoteApp User Assignment. The RemoteApp User Assignment feature gives administrators the ability to show a customized list of RemoteApp programs specific to the logged-on user in RD Web Access and RemoteApp and Desktop Connections. This has been one of our most requested features since Terminal Services Web Access (TS Web Access) was released in Windows Server 2008.
In Windows Server 2008 TS Web Access, if two users with different application usage patterns log on to the website, they will both see the same list of RemoteApp programs. For example, a user from HR and a developer will see the same set of published applications. They will both have to dig through several published applications to access the ones that are relevant to them.
By using RemoteApp User Assignment, Windows Server 2008 R2 provides a solution to filter the applications based on the logged-on user. By using this new feature, the administrator can easily set up the system so that users will only see the applications they use. In our example scenario, the HR user will only see HR applications, and the developer will only see development applications. This feature makes it easy for users to find and run the applications that are relevant to them.
The RemoteApp User Assignment feature is implemented by adding an access control list (ACL) to every RemoteApp program. When a user logs on to RD Web Access, the list of applications that are viewable to this user is fetched from the RD Session Host (RDSH) servers. As we can see in the diagram below, when RD Web Access is configured to point directly to one or more RD Session Host servers, RD Web Access directly queries the servers and filters the retrieved list of RemoteApp programs based on the ACLs.
When RD Web Access is configured to point to an RD Connection Broker server, the Connection Broker server queries the RD Session Host servers and filters the list of RemoteApp programs, as shown in the diagram below.
When the RemoteApp program is first published, its default ACL allows all users to see the application. Through UI and Windows PowerShell™, the ACL can be configured to allow only certain domain users or entire domain groups to view the application. See the relevant sections later in this post for detailed configuration steps.
There are a few considerations when setting up this feature that I’d like to mention briefly.
1. The RemoteApp programs can only be assigned to domain users or domain groups, not local users or local security groups. If a user logs on to RD Web Access with a non-domain account, all RemoteApp programs will be displayed, as with Windows Server 2008 TS Web Access.
2. The computer that is actually performing the check of the user’s credentials against the RemoteApp program’s ACL (see the diagrams in the previous section) must be either a member of the domain’s Windows Authorization Access Group, or be joined to a domain running in Windows 2000 compatibility mode.
NOTE: RemoteApp User Assignment is not intended to be a security mechanism; rather it is a discoverability mechanism. There are already ways to secure access to an RD Session Host server, and the RemoteApp User Assignment feature does nothing to change or improve upon them. This feature only helps reduce the number of unnecessary applications that are otherwise displayed to users.
In RemoteApp Manager UI, a new tab, User Assignment, has been added to the RemoteApp Properties dialog box:
As you can see in the screenshot, this new tab allows administrators to specify which domain users and groups can view the RemoteApp program in RD Web Access and the RemoteApp and Desktop Connection feed.
To filter the applications, select the Specified domain users and domain groups option, and then click Add or Remove to modify the list of assigned domain users and groups. The screenshot below captures a configuration where the application is configured to be shown only to the members of the domain group RDVSTRESS\testgroup.
The feature can also be managed by using the Remote Desktop Services module for Windows PowerShell:
1. Click Start, click Administrative Tools, and then click Windows PowerShell Modules.
2. To switch to the Remote Desktop Services module for Windows PowerShell, type cd RDS:\.
3. Type cd RDS:\RemoteApp\RemoteAppPrograms and then press ENTER. A dir command at this container lists all the applications that are published.
4. Type cd .\<app>\UserAssignment and then press ENTER. A dir command at this container lists all the users and groups to whom the application is assigned.
5. To assign the application to a user 'testdomain\user2', type New-Item -Path RDS:\RemoteApp\RemoteAppPrograms\<app>\UserAssignment -Name user2@testdomain and then press ENTER.
6. To unassign the application to a user 'testdomain\user2', type Remove-Item -Path 'RDS:\RemoteApp\RemoteAppPrograms\<app>\UserAssignment\user2@testdomain' and then press ENTER.
7. Type dir and then press ENTER to see the user removed from the list of users.
hi thanks for the info! it seems it will be very helpful for the new 2008 servers! it ll reduce user time to use it!
Does this also prevent users from launching applications which are not assigned to them when logging into the full remote desktop?
It doesnt prevent users from launching applications that are not asigned to them. This feature helps only filtering out the published applications that are not assigned to a user in the RD WebAccess.
Does the tsweb 2008 R2 can enumerate remote app from a non-R2 2008 broker or farm ?
One of the biggest complaints about the first version of TS Web Access was its inability to assign applications to users based on permissions. With TS Web Access in Windows Server 2008 RTM, any RemoteApp you create is automatically available to all users.
WebAccess cannot pull in data from non-R2 broker server as the centralized publishing service is not available on win2k8 server. The centralized publishing servvice is available only with win2k8-R2 connection broker. However, DNS farm name can be used to enumerate remote apps.
Yeah, this feature sounds like a great start on the path to adding functionality to TSGW...
Where do i get it / when will it be available?
This is a feature of Remote Desktop Services in WS08 R2, so it will be available when WS08 R2 ships. See link below for announced availability dates.
Yes, but you do not get user filtering in this case. All apps will be seen by all users when enumerating remote apps from earlier TS servers/farms.
Will this feature become available via update/hotfix for current W2k8 Server NON-R2 installs?
@Derrick, this feature requires Win2008 R2.
Will this feature be available in foundation server 2008?
Still ages behind Citrix... It's just filtering...
Still ages behind Citrix?
Well yes but RDP has always been behind Citrix..if not Citrix wouldnt do all that well would they??
Hi there. Excellent article acout RemoteApp user assignment! One question about the application filtering:
When I assign a domain local group to a RemoteApp, our test user account 'user3' has the RemoteApp displayed on the Web Access page because one of his global groups is a member of that particular domain local group. After I remove the user from the global group it appears the filtering mechanism doesn't work anymore because the RemoteApp keeps getting displayed on the Web Access page. Is this correct behavior??
Thanks for your time...