The authorization mechanism that allows a user to access desktops and applications directly is controlled within a local operating system group called View Agent Direct-Connection Users.
If a user is a member of this group, that user is authorized to connect to the virtual machine-based desktop, published desktop, or published applications. When the plug-in is first installed, this local group is created and contains the Authenticated Users group. Anyone who is successfully authenticated by the plug-in is authorized to access the desktop or applications.
To restrict access to this desktop or RDS host, you can modify the membership of this group to specify a list of users and user groups. These users can be local or domain users and user groups. If the user is not in this group, the user gets a message after authentication saying that the user is not entitled to access this virtual machine-based desktop or the published desktop and applications that are hosted on this RDS host.