diff --git a/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs b/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs
index 930584d2..39cac14c 100644
--- a/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs
+++ b/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs
@@ -70,7 +70,8 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
         private const string AddNpsString = "netsh nps add np name=\"\"{0}\"\" policysource=\"1\" processingorder=\"{1}\" conditionid=\"0x3d\" conditiondata=\"^5$\" conditionid=\"0x1fb5\" conditiondata=\"{2}\" conditionid=\"0x1e\" conditiondata=\"UserAuthType:(PW|CA)\" profileid=\"0x1005\" profiledata=\"TRUE\" profileid=\"0x100f\" profiledata=\"TRUE\" profileid=\"0x1009\" profiledata=\"0x7\" profileid=\"0x1fe6\" profiledata=\"0x40000000\"";        
         private const string WspAdministratorsGroupDescription = "WSP Org Administrators";
         private const string RdsServersOU = "RDSServers";
-        private const string RDSHelpDeskComputerGroup = "Websitepanel-RDSHelpDesk-Computer";
+        private const string RdsServersRootOU = "RDSRootServers";
+        private const string RDSHelpDeskComputerGroup = "Websitepanel-RDSHelpDesk-Computer";        
         private const string RDSHelpDeskGroup = "WSP-HelpDeskAdministrators";
         private const string RDSHelpDeskGroupDescription = "WSP Help Desk Administrators";
         private const string LocalAdministratorsGroupName = "Administrators";
@@ -95,6 +96,14 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
             }
         }
 
+        private string ComputersRootOU
+        {
+            get
+            {
+                return ProviderSettings["ComputersRootOU"];
+            }
+        }
+
         private string CentralNpsHost
         {
             get
@@ -313,6 +322,9 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
 
                 CheckOrCreateHelpDeskComputerGroup();
                 string helpDeskGroupSamAccountName = CheckOrCreateAdGroup(GetHelpDeskGroupPath(RDSHelpDeskGroup), GetRootOUPath(), RDSHelpDeskGroup, RDSHelpDeskGroupDescription);
+                string groupName = GetLocalAdminsGroupName(collection.Name);
+                string groupPath = GetGroupPath(organizationId, collection.Name, groupName);
+                string localAdminsGroupSamAccountName = CheckOrCreateAdGroup(groupPath, GetOrganizationPath(organizationId), groupName, WspAdministratorsGroupDescription);
 
                 if (!ActiveDirectoryUtils.AdObjectExists(GetUsersGroupPath(organizationId, collection.Name)))
                 {
@@ -344,7 +356,8 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
                 //add session servers to group
                 foreach (var rdsServer in collection.Servers)
                 {                                        
-                    AddAdGroupToLocalAdmins(runSpace, rdsServer.FqdName, helpDeskGroupSamAccountName);                    
+                    AddAdGroupToLocalAdmins(runSpace, rdsServer.FqdName, helpDeskGroupSamAccountName);
+                    AddAdGroupToLocalAdmins(runSpace, rdsServer.FqdName, localAdminsGroupSamAccountName);
                     AddComputerToCollectionAdComputerGroup(organizationId, collection.Name, rdsServer);
                 }
             }                   
@@ -570,8 +583,12 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
                 ExecuteShellCommand(runSpace, cmd, false);
 
                 CheckOrCreateHelpDeskComputerGroup();
-                string helpDeskGroupSamAccountName = CheckOrCreateAdGroup(GetHelpDeskGroupPath(RDSHelpDeskGroup), GetRootOUPath(), RDSHelpDeskGroup, RDSHelpDeskGroupDescription);                
+                string helpDeskGroupSamAccountName = CheckOrCreateAdGroup(GetHelpDeskGroupPath(RDSHelpDeskGroup), GetRootOUPath(), RDSHelpDeskGroup, RDSHelpDeskGroupDescription);
+                string groupName = GetLocalAdminsGroupName(collectionName);
+                string groupPath = GetGroupPath(organizationId, collectionName, groupName);
+                string localAdminsGroupSamAccountName = CheckOrCreateAdGroup(groupPath, GetOrganizationPath(organizationId), groupName, WspAdministratorsGroupDescription);
 
+                AddAdGroupToLocalAdmins(runSpace, server.FqdName, LocalAdministratorsGroupName);
                 AddAdGroupToLocalAdmins(runSpace, server.FqdName, helpDeskGroupSamAccountName);
                 AddComputerToCollectionAdComputerGroup(organizationId, collectionName, server);
             }            
@@ -1363,6 +1380,14 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
             return installationResult;
         }
 
+        private void CheckOrCreateComputersRoot(string computersRootPath)
+        {
+            if (ActiveDirectoryUtils.AdObjectExists(computersRootPath) && !ActiveDirectoryUtils.AdObjectExists(GetRdsServersGroupPath()))
+            {                
+                ActiveDirectoryUtils.CreateGroup(computersRootPath, RdsServersRootOU);
+            }
+        }
+
         public void MoveRdsServerToTenantOU(string hostName, string organizationId)
         {
             var tenantComputerGroupPath = GetTenantComputerGroupPath(organizationId);
@@ -1373,7 +1398,14 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
             }
 
             hostName = hostName.ToLower().Replace(string.Format(".{0}", ServerSettings.ADRootDomain.ToLower()), "");
-            var computerPath = GetComputerPath(hostName, true);                                
+            var computerPath = GetComputerPath(hostName, true);
+            var rootComputerPath = GetRdsServerPath(hostName);
+            var tenantComputerPath = GetTenantComputerPath(hostName, organizationId);            
+
+            if (!string.IsNullOrEmpty(ComputersRootOU))
+            {                
+                CheckOrCreateComputersRoot(GetComputersRootPath());
+            }
 
             if(!ActiveDirectoryUtils.AdObjectExists(computerPath))
             {
@@ -1385,6 +1417,14 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
                 var computerObject = ActiveDirectoryUtils.GetADObject(computerPath);
                 var samName = (string)ActiveDirectoryUtils.GetADObjectProperty(computerObject, "sAMAccountName");
 
+                if (!string.IsNullOrEmpty(ComputersRootOU))
+                {
+                    if (ActiveDirectoryUtils.IsComputerInGroup(samName, RdsServersRootOU))
+                    {
+                        ActiveDirectoryUtils.RemoveObjectFromGroup(computerPath, GetRdsServersGroupPath());
+                    }
+                }
+
                 if (!ActiveDirectoryUtils.IsComputerInGroup(samName, RdsServersOU))
                 {                    
                     DirectoryEntry group = new DirectoryEntry(tenantComputerGroupPath);
@@ -1400,6 +1440,12 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
             var tenantComputerGroupPath = GetTenantComputerGroupPath(organizationId);
             hostName = hostName.ToLower().Replace(string.Format(".{0}", ServerSettings.ADRootDomain.ToLower()), "");
             var tenantComputerPath = GetTenantComputerPath(hostName, organizationId);
+            var rootComputerPath = GetRdsServerPath(hostName);            
+
+            if (!string.IsNullOrEmpty(ComputersRootOU))
+            {
+                CheckOrCreateComputersRoot(GetComputersRootPath());
+            }
 
             var computerPath = GetComputerPath(hostName, true);
 
@@ -1417,6 +1463,14 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
                 {
                     ActiveDirectoryUtils.RemoveObjectFromGroup(computerPath, tenantComputerGroupPath);
                 }
+
+                if (ActiveDirectoryUtils.AdObjectExists(GetComputersRootPath()) && !string.IsNullOrEmpty(ComputersRootOU) && !ActiveDirectoryUtils.IsComputerInGroup(samName, RdsServersRootOU))
+                {
+                    DirectoryEntry group = new DirectoryEntry(GetRdsServersGroupPath());
+                    group.Invoke("Add", computerObject.Path);
+
+                    group.CommitChanges();
+                }
             }
         }
 
@@ -1543,6 +1597,10 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
             {
                 remoteApp.Users = users;
             }
+            else
+            {
+                remoteApp.Users = null;
+            }
             
             return remoteApp;
         }
@@ -1734,6 +1792,56 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
             return sb.ToString();
         }
 
+        private string GetComputersRootPath()
+        {
+            StringBuilder sb = new StringBuilder();
+            
+            AppendProtocol(sb);
+            AppendDomainController(sb);
+            AppendOUPath(sb, ComputersRootOU);
+            AppendDomainPath(sb, RootDomain);
+
+            return sb.ToString();
+        }
+
+        private string GetRdsServersGroupPath()
+        {
+            StringBuilder sb = new StringBuilder();
+
+            AppendProtocol(sb);
+            AppendDomainController(sb);
+            AppendCNPath(sb, RdsServersRootOU);
+            AppendOUPath(sb, ComputersRootOU);
+            AppendDomainPath(sb, RootDomain);
+
+            return sb.ToString();
+        }
+
+        private string GetRdsServerPath(string name)
+        {
+            StringBuilder sb = new StringBuilder();
+
+            AppendProtocol(sb);
+            AppendDomainController(sb);
+            AppendCNPath(sb, name);
+            AppendCNPath(sb, RdsServersRootOU);
+            AppendOUPath(sb, ComputersRootOU);
+            AppendDomainPath(sb, RootDomain);
+
+            return sb.ToString();
+        }
+
+        private string GetRootPath()
+        {
+            StringBuilder sb = new StringBuilder();
+
+            AppendProtocol(sb);
+            AppendDomainController(sb);
+            AppendDomainPath(sb, RootDomain);        
+
+            return sb.ToString();
+        }
+
         internal string GetTenantComputerGroupPath(string organizationId)
         {
             StringBuilder sb = new StringBuilder();
diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/App_LocalResources/RDS_Settings.ascx.resx b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/App_LocalResources/RDS_Settings.ascx.resx
index d8e514f9..dd9c465d 100644
--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/App_LocalResources/RDS_Settings.ascx.resx
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/App_LocalResources/RDS_Settings.ascx.resx
@@ -144,4 +144,7 @@
   <data name="lblSanName.Text" xml:space="preserve">
     <value>SAN Name:</value>
   </data>
+  <data name="lblComputersRootOU.Text" xml:space="preserve">
+    <value>Computers Root OU:</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx
index 62f67170..415fd085 100644
--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx
@@ -76,6 +76,15 @@
             <asp:RequiredFieldValidator ID="RequiredFieldValidator4" runat="server" ControlToValidate="txtRootOU" ErrorMessage="*" Display="Dynamic" />
         </td>
     </tr>
+    <tr>
+        <td class="SubHead" width="200" nowrap>
+            <asp:Label runat="server" ID="lblComputersRootOU" meta:resourcekey="lblComputersRootOU" Text="Computers Root OU:"/>
+        </td>
+        <td class="Normal">
+            <asp:TextBox runat="server" ID="txtComputersRootOu" MaxLength="1000" Width="200px" />
+            <asp:RequiredFieldValidator ID="RequiredFieldValidator1" runat="server" ControlToValidate="txtComputersRootOu" ErrorMessage="*" Display="Dynamic" />
+        </td>
+    </tr>
     <tr>
         <td class="SubHead" width="200" nowrap>
             <asp:Label runat="server" ID="lblPrimaryDomainController" meta:resourcekey="lblPrimaryDomainController" Text="Primary Domain Controller:"/>
diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx.cs b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx.cs
index 19c684e7..8806b61d 100644
--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx.cs
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx.cs
@@ -83,6 +83,7 @@ namespace WebsitePanel.Portal.ProviderControls
             UpdateLyncServersGrid();
 
             txtRootOU.Text = settings["RootOU"];
+            txtComputersRootOu.Text = settings["ComputersRootOU"];
             txtPrimaryDomainController.Text = settings["PrimaryDomainController"];
 
             if (!string.IsNullOrEmpty(settings["UseCentralNPS"]) && bool.TrueString == settings["UseCentralNPS"])
@@ -103,6 +104,7 @@ namespace WebsitePanel.Portal.ProviderControls
         {
             settings["ConnectionBroker"] = txtConnectionBroker.Text;
             settings["RootOU"] = txtRootOU.Text;
+            settings["ComputersRootOU"] = txtComputersRootOu.Text;
             settings["PrimaryDomainController"] = txtPrimaryDomainController.Text;
             settings["UseCentralNPS"] = chkUseCentralNPS.Checked.ToString();
             settings["CentralNPS"] = chkUseCentralNPS.Checked ? txtCentralNPS.Text : string.Empty;
diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx.designer.cs b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx.designer.cs
index 0a5bf54b..81ceb1a6 100644
--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx.designer.cs
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/RDS_Settings.ascx.designer.cs
@@ -138,6 +138,33 @@ namespace WebsitePanel.Portal.ProviderControls {
         /// </remarks>
         protected global::System.Web.UI.WebControls.RequiredFieldValidator RequiredFieldValidator4;
         
+        /// <summary>
+        /// lblComputersRootOU control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.Label lblComputersRootOU;
+        
+        /// <summary>
+        /// txtComputersRootOu control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.TextBox txtComputersRootOu;
+        
+        /// <summary>
+        /// RequiredFieldValidator1 control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.RequiredFieldValidator RequiredFieldValidator1;
+        
         /// <summary>
         /// lblPrimaryDomainController control.
         /// </summary>
diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/UserControls/RDSCollectionApps.ascx.cs b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/UserControls/RDSCollectionApps.ascx.cs
index c293ea26..47e39a3d 100644
--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/UserControls/RDSCollectionApps.ascx.cs
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/UserControls/RDSCollectionApps.ascx.cs
@@ -215,7 +215,7 @@ namespace WebsitePanel.Portal.RDS.UserControls
                 app.RequiredCommandLine = ((HiddenField)row.FindControl("hfRequiredCommandLine")).Value;
                 var users = ((HiddenField)row.FindControl("hfUsers")).Value;
 
-                if (users != null)
+                if (!string.IsNullOrEmpty(users))
                 {
                     app.Users = new string[]{"New"};
                 }