Controlling Application Access with Active Directory
You can control access to applications using Active Directory groups.
When you build a package, ThinApp converts Active Directory group names into Security Identifier (SID) values. A SID is a small binary value that uniquely identifies an object. SID values are not unique for a few groups, such as the administrator group. Because ThinApp stores SID values in packages for future validation, the following considerations apply to Active Directory use:
You must be connected to your Active Directory domain during the build process and the groups you specify must exist. ThinApp looks up the SID value during the build.
When users are offline, ThinApp can authenticate them using cached credentials. If the users can log into their machines, authentication still works. Use a group policy to set the period when cached credentials are valid.
Cached credentials might not refresh on clients until the next Active Directory refresh cycle. You can force a group policy on a client by using the gpupdate command. This command refreshes local group policy, group policy, and security settings stored in Active Directory. You might log out before Active Directory credentials are recached.
Certain groups, such as the Administrators group and Everyone group, have the same SID on every Active Directory domain and workgroup. Other groups you create have a domain-specific SID. Users cannot create their own local group with the same name to bypass authentication.
Package.ini Entries for Active Directory Access Control
ThinApp provides the PermittedGroups parameter in the Package.ini file to control Active Directory access.
PermittedGroups Parameter
When you start a captured application, the PermittedGroups parameter checks whether a user is a member of a specified Active Directory group. If the user is not a member of the Active Directory group, ThinApp does not start the application. For information about restricting packages to Active Directory groups, see “PermittedGroups” parameter in ThinApp Package.ini Parameters Reference Guide.
In the following Package.ini entry, App1 and App2 inherit PermittedGroups values.
[BuildOptions]
PermittedGroups=Administrators;OfficeUsers
[App1.exe]
...
..
[App2.exe]
...
...
In the following entry, only users belonging to the App1users group can use the App1.exe file, and members of the Everyone group can use the App2.exe file. The default message for denied users changes for App1.
[BuildOptions]
PermittedGroups=Everyone
[App1.exe]
PermittedGroups=App1Users
AccessDeniedMsg=Sorry, you can’t run this application
..
[App2.exe]
...
...
PermittedComputers Parameter
When captured application is started, the PermittedComputers parameter verifies whether the computer is a member of a specified Active Directory group. If the computer is not a member of Active Directory group, Thinapp does not start the application. This parameter can be used as:
PermittedComputers=xpsystemgroup;win7systems
The Package.ini entry for application PDC overrides the global settings and all entry points will inherit these settings from PDC.
For Example:
[BuildOptions]
PermittedComputers=OfficeComputers
 
[Microsoft Office 2010.dat]
PermittedComputers=xpsystemgroup;
 
[Microsoft Word 2010.exe]
...
...
[Microsoft excel 2010.exe]
...
...
In the above example, PermittedComputers settings for [Microsoft Office 2010.dat] will override the global option provided in [BuildOptions] as this file is the PDC. Word and Excel applications will inherit settings from [Microsoft Office 2010.dat].