RD Web Access Icons and RemoteApp Feed Issues (2012R2)

Hi there,

I have set up an RDS 2012R2 RemoteApp/ RDS proof of concept for a client. The environment is as follows:

Domain and Forest functional Levels: Windows 2003

2DCs: Server 2008R2.

1 RD Managment and Licensing Server (2012 R2)

1 RD Gateway (2012 R2)

1 RD Broker (2012 R2)

1 RD Web Access (2012 R2)

4 Session hosts split up as follows:

RDS1 and 2: For RemoteApps. Collection is called RemoteApp

RDS 3: For Full Desktops. Collection is called Full Desktops

UAT: For User Acceptance Testing. Collection is called UAT1 and is configured for remote apps.

All 3 collections are enabled to allow users from the RDS_UAT group to access them. The RDS_UAT group consists of myself and 4 other testers. Within the collections (for testing):

RemoteApp collection: all apps are configured to be visible to users in the apps_sg security group (myself only). There are several folders which house the apps.

UAT Collection: All apps are configured to be visible to the RDS_UAT group. These all reside in the UAT Apps folder.

I have 2 issues: 

1) A user who is not a member of either security group can log in and see all three collections. To test, I created a new user (user A) who is a member of only domain users. The user could see all the folders and collections. When the user tries to run the application, he is denied permission. Simillarly, the other members RDS_UAT group can see the apps they should not be seeing in the RemoteApp collection.

2) The remoteapp web feed (when added to Windows 7 and windows 2008R2 machines) shows all the applications, even applications the user does not have access to. For example, for user A, I can see all the applications but not access any of them. Furthermore, the folder structure in RD Web Access is lost and all apps are listed alphabetically from top to bottom across all three collections.

Can anyone please advise as I can't seem to figure out why this is happening? I can't see anything in the event logs that would indicate any issues. There was one error on the broker (Remote Desktop Connection Broker server could not enumerate the targets for the provider named NULL from the database) which I resolved by adding the broker to "Windows Authorization Access Group" as per https://social.technet.microsoft.com/Forums/windowsserver/en-US/aef50c99-0f0e-4da2-bc4c-d5435692cb8b/server-2012-rds-remote-desktop-connection-broker-client-failed-to-redirect-the-user?forum=winserver8gen

Thanks,

HA