An administrator previously added the group NT AUTHORITY\Authenticated Users as a nested member of the local Remote Desktop Users group on a XenApp server. If a XenApp administrator sets Prohibit Logons Only for the server in AppCenter (through the Logon Control menu) and then later re-enables user logons, the NT AUTHORITY\Authenticated Users group is removed from the local Remote Desktop Users group. As a result, the users are unable to launch published applications from the server.

To verify this issue is not related to Citrix XenApp, complete the following steps:

1. Install the Remote Desktop Services role on a non-Citrix server.

2. Add the NT Authority\Authenticated Users group to the local Remote Desktop Users group on the server.

3. Run the following command at the command prompt:

   ​Chlogon.exe /Drain

4. Run the following command to check status:

   Chglogon.exe /Query

5. Run the following command to enable logons again:

   Chglogon.exe /Enable

Check to​ verify the NT AUTHORITY\Authenticated Users group is removed from the Remote Desktop Users group on the server.

Workaround

Add <Domain>\Domain Users instead of NT AUTHORITY\Authenticated Users to the Remote Desktop Users group on each server.

Problem Cause

The issue is caused by a bug within the Microsoft component chlogon.exe installed as part of the Remote Desktop Services role in Windows Server 2008 R2, and can be reproduced on a server without Citrix XenApp installed.

Authenticated users are removed from the Remote Desktop Users group after you set the drain mode on a Windows Server 2008 R2-based RDS server

Contact Microsoft Technical Support to request a fix.