Just came across this thread. We have been running all LOB applications - Manage, Automate, password server, web apps, EVERYTHING - via RDS/RemoteApp for over 4 years. We lock down destination (e.g. Cannot login to Manage from anything other than RDS server / Have RDS server use specified/exclusive IP on our gateway and then lockdown webapps to only allow traffic from that IP). No logins from anywhere but our data center. This provides a lot of comfort and not worrying about anyone doing anything crazy. Also, do not give your team ability to be local admins - EVER - as there is no reason. With the RDS server, they don't need it. As for the challenge of the applications and permissions, whenever there is a patch we just update the app on the RDS server. No permissions issues whatsoever as the next time the user logs in, it's already updated.