ThinApp User’s Guide : Configuring Package Parameters : Configuring Permissions : PermittedGroups

PermittedGroups
The PermittedGroups parameter restricts a package to a specific set of Active Directory users.
You can specify group names, SID strings, or a mix of group names and SID strings in the same line of the PermittedGroups parameter. If you use a domain-based group name, you must connect to that domain when you build the application package. If you add a SID in the parameter value, you are not required to connect to the domain where the SID is defined.
Active Directory Domain Services define security groups and distribution groups. This parameter can only support nested security groups. For example, if a user is a member of security group A, and security group A is a member of security group B, ThinApp can detect the user as a member of security group A and security group B.
When ThinApp builds an application, ThinApp assumes any specified group names are valid and converts the names to SID values. ThinApp can resolve group ownership at runtime using cached credentials. You can continue to authenticate laptop users even when they are offline. If the user does not have access to run the package, you can customize the AccessDeniedMsg parameter to instruct the user.
You can place the PermittedGroups parameter under the [BuildOptions] heading to affect the package or under the [<application>.exe] heading to affect a specific application. The [<application>.exe] value overrides the default [BuildOptions] value for the specific application.
Examples
You can modify the PermittedGroups parameter to specify a list of Active Directory user group names, separated by semicolons. The [BuildOptions] parameters set global settings for the entire project.
[BuildOptions]
PermittedGroups=Administrator;OfficeUsers
AccessDeniedMsg=You do not have permission to execute this application, please call support @ 1-800-822-2992
You can specify a user group setting for a specific application that overwrites the global PermittedGroups setting.
[App1.exe]
PermittedGroups=Guest
AccessDeniedMsg=You do not have permission to execute this application, please call support @ 1-800-822-2992
If you do not specify a PermittedGroups setting for an application, the application inherits the global PermittedGroups value in the [BuildOptions] section.
[App2.exe]
...
You can mix group names and SID strings in the same entry for the PermittedGroups parameter.
PermittedGroups=S-1-5-32-544;Office Users