Question : How do I Control Program Access on Windows Server 2008 R2 Terminal Server?

I'm in the process of building a Windows Server 2008 R2 Terminal Server, and I'm trying to find a way to limit access to certain installed programs on it.  For example, I'm licensed for up to 100 users to access the server using a Remote Desktop client, but only 68 of those users are licensed for Microsoft Visio.  I'd like to install Visio, but have it configured in such a way that only those 68 can run it on the server.  I need to control the access using an AD Group.

I'm aware that a potential solution would be to modify the security permissions of the Visio executable to only allow members of a certain group to have "Read/Execute" privs, but if anyone knows of a better, "cleaner" way of controlling program access on a RDP server, I'd love to hear it.

Thanks!

Answer : How do I Control Program Access on Windows Server 2008 R2 Terminal Server?

The approach you mentioned is the way to go. NTFS permissions.
oBdA, this varies from place to place. I know for sure (as I got a letter from Microsoft) that in many places they do accept that form of control as proof that no more than the number of licenses the customer has is in use at any given time in a TS/Citrix environment. This is a very common scenario, especially within government clients/agencies. They limit the number of people by NTFS permissions and after discussing this with Microsoft they actually get a formal, legal answer that accepts that.
But as you pointed out, if you go by the book, the licensing details you posted are correct.
So considering what was posted and what I have seen on the field, Microsoft seems to treat this on a case-by-case basis. You will have to contact your Microsoft representative and discuss the issue with him.

Cláudio Rodrigues
Citrix CTP