App-V streaming with App-V Management Servers allows you to associate a program with an AD DS security group. Deploying applications can be as simple as adding users to security groups. When their App-V Desktop Clients perform a publishing refresh operation, which happens by default when users log on to their computers, users will have access to the applications they have the rights to use based on group membership.

The down side of using this method to assign applications to users is the tendency to create many security groups—often, a security group for every application. When a user is a member of too many security groups, the maximum Kerberos token size can be exceeded. You can adjust the ticket size to allow a user to be a member of more user groups; however, managing many groups can become an administrative burden. See the Microsoft Support article, New resolution for problems with Kerberos authentication when users belong to many groups, for details on this issue.

The best practice for using security groups when deploying virtual applications is to align groups to a job role rather than have each application assigned its own group. For example, a customer support employee would need access to an issue-tracking line-of-business application and the customer database application. By associating both applications with a group for customer support, the employees receive their applications by administrators adding users to a single security group.

Related Topics

Use App-V for Thin Images