This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 57.00000000000001%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Hi all! We are streamlining application security on a Windows Server 2019 cluster by stripping the default "Users" group permissions from specific program directories and replacing them with granular departmental groups. While staff members can execute the binary without issue when logged into a full desktop session via MSTSC, the deployment fails when they attempt to launch the same tool as a published RemoteApp through the RDWeb portal. It appears that the RDS management layer or the connection broker requires a specific service identity or a broader built-in security principal to bridge the gap between the web feed and the file system. Beyond the standard authenticated user, which specific system-level account or group does the RDWeb process utilize to authorize the initial execution of a virtualized application?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 36%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETL%3C/text%3E%3C/svg%3E)
Hi LinChaoTTDC,
Just doing a quick follow-up to see if your RemoteApp publishing issue is fully resolved. Did explicitly granting "Read & Execute" permissions to the NETWORK SERVICE and SYSTEM accounts bridge the gap and allow your staff to launch the apps through the RDWeb portal again?
If you are still hitting access denied errors or if the connection broker is still failing to spawn the app, just drop a comment. I'm always happy to help!
Tracy Le.
Hi LinChaoTTDC,
You have hit a classic RDS security boundary trap. By stripping the default folder permissions, you inadvertently removed the system identities that the Remote Desktop infrastructure relies on to validate and publish the application.
Here is the architectural difference: While a full desktop session (MSTSC) executes the app purely under the logged-in user's token via explorer.exe, a RemoteApp is initialized by the Remote Desktop Services (TermService), which runs locally under the NETWORK SERVICE account.
The Fix: To allow the RDWeb process to authorize and launch the virtualized application, you must explicitly grant Read & Execute permissions to the following two built-in principals on your application's executable and directory:
NETWORK SERVICE
SYSTEM
Without NETWORK SERVICE having read access to the binary, the connection broker cannot bridge the gap to spawn the rdpshell.exe process for the RemoteApp feed. It fails before the user's specific departmental permissions are even evaluated.
Tracy Le.
