RDWeb 2012 R2 - User Assignment Not Working (Not Hiding App)

Hi Experts!

I have a stand-alone Windows 2012 R2 server with Remote Desktop Services installed.  It has been working well for some time.
We have a handful of applications published on it - one in particular is Internet Explorer.
There is a new user starting and we do not want him to have access to Internet Explorer via the RDWeb interface.
I've gone into the Collection and edited the User Assignment for this published App (iexplore.exe) to only be available to a group of individual AD user accounts.  This new user's account is NOT on the list.
I've waited for several hours, rebooted the server, etc., but this change does not seem to take effect.
When I log on as the new user via the RDWeb interface, the IE icon is still there and launchable.

Are there any known issues where a published App is displayed to user in RDWeb regardless of user assignment permissions?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
There isn't a known issue/bug, but there is a common misconfiguration that causes the behavior you describe.  Check out this blog post and note the two "considerations" notes:


If you are using local accounts, user assignment just doesn't take effect.

And the second one is also common. If the machine doing the check is not a member of that Authorization Group then the filtering fails as it doesn't have the right permissions. Adding the computer to the group solves the issue quickly.
dpmoneyAuthor Commented:
Hi Cliff,

Thanks for your feedback.  I had previously read that article and also considered adding this server to the AD group you mentioned, but further testing has shown that filtering what Apps are displayed on user RDWeb home pages is already working for some other published Apps.  

It is just not working for Internet Explorer.  It disregards the permissions and shows it on every user's page.  These are definitely all AD users.  

I'm hesitant to add this server to that group because it is very powerful and I don't want to give this server more permissions that it needs; especially since it is successfully filtering other apps based on user assignment permissions as noted above.

Again, I'm thinking this has something to do with iExplore.exe being so tightly integrated with the OS and it is being treated differently.  What do you think?
Cliff GaliherCommented:
It isn't. That group is absolutely required for proper filtering. It isn't listed in that article because it is optional. Now that I know you haven't, I am even more confident that is your issue.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

dpmoneyAuthor Commented:
OK, I'll consider adding it to that group, but I'm a bit nervous - don't want to provide this box with more security than it needs.  I did some research on this group and it looks like it was put in for Windows 2003 to by pass a tighter security restriction that allowed everyone to view a security attribute in Win 2000.  

Also, I'm still perplexed as to why filtering works 100%, but just not with this one published App.

I'll test and report back later in the week.  Thanks.
dpmoneyAuthor Commented:
I added our Windows 2012 R2 Remote Desktop Services server to the Windows Authorization group, rebooted the server for good measure, and the Internet Explorer published App continues to be shown on the user's RDWeb page, even though the User Assignment explicitly lists just 3 domain users, and he is not one of them.

The only difference I can think of now is every other published app hit the ground running with specific user assignments, whereas the Internet Explorer published App was initially published with all users as a User Assignment (the default), and just recently changed to a list of explicit users.

Bottom-line, adding the RDS server to the AD group did not make the published App (iexplore.exe) follow the user assignments and disappear from the user's RDWeb page.

Can you think of anything else?  Thanks!
dpmoneyAuthor Commented:
*** UPDATE ***

After a lot of research and article reading and trial/error, I've isolated the cause of our issue and a workaround.  

We have 6 applications published.  Of the 6, 5 respond as expected when I make changes to them via the RDS management gui in Server Manager.  If I set an App not show up in the RDWeb portal, it does not.  If I assign specific permissions, the changes take effect.

The only one that doesn't seem to respect the changes made via the GUI is Internet Explorer.  I went into the published list of Apps in the registry and found a key called ShowInPortal which direclty maps to the setting available in the management GUI.  I also found a key called "SecurityDescriptor" that itemizes the SIDs which have access to the App if the User Assignment itemizes a list of domain users or groups.  Careful examination shows that each Security Descriptor contains the correct Users in the registry for the Apps that are working properly.  However, for the iexplore App, the SecurityDescriptor was BLANK even tough I had switched it from "All Users and Groups That Have Access to the Collection" to a specific list of users.  

WORKAROUND - I was able construct a properly formatted string for the iexplore.exe App's SecurityDescriptor Reg_SZ key so that it properly represented the users I had itemized and assigned in the RDS management GUI.  As soon as I made this change and logged into the RDWeb portal as the user for whom I've been working so hard to make iexplore.exe NOT show up, it WORKED CORRECTLY!

This still does not help to explain why this one App's registry settings do not update when settings are changed in the GUI.  I'd immediately think permissions, but the permissions on the registry key of each published App are the same (inherited from parent).  

I'm thinking about deleting the published iexplore.exe App and re-publishing it to see if that will make it respect the GUI's settings, but now that I have it working and understand the problem, I'm tempted to leave as is.

As noted above, membership in that Authorization group did not seem to make a difference and permission enumeration was working just fine for the other 5 Apps whether this RDS computer was in that group or not.  Thank to Cliff again for taking the time to make that suggestion just the same.

If anyone can think of a way for me to make this App respect the GUI changes, I'd love to hear thoughts.  Otherwise, I'll likely accept my findings as the solution.  I'll also post back if I find out more.

Thanks for reading!
dpmoneyAuthor Commented:
*** UPDATE # 2 ***


Following the troubleshooting I did above and confirming the single problematic published App was not writing my settings out to the registry, I assumed it was some sort of corruption issue.  I unpublished the App, re-published it, and it is working fine now.  I've toggled settings back and forth and can see the changes reflected in the registry.

For anyone's benefit in the future, Remote Desktop Services' RDWeb published Apps on Windows Server 2012 R2 are located in the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\[Collection Name]

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dpmoneyAuthor Commented:
Through a process of elimination, I reached the conclusions and solution noted in previous 2 posts above...detailed notes provided so they can help community members with similar issues.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.