Critical Unauthorized Execution of Sensitive RAS App ("Active Directory Users and Computers")

Hello Support Team,
I'm reporting a critical security issue with a published app on RAS. The app "Active Directory Users and Computers" is executing under user account "z20xxx", to whom I have not granted access.
Details/Evidence:
A screen snippet shows a disconnected session for "z20xxx" running this app.
Clicking "Show User Processes" confirms the app is executing.
What I've verified:
An "Effective Access" test for "z20xxx" shows no access to this app.
This app is highly sensitive, with access strictly limited to a few IT staff. I need to understand how this occurred.

Question: Can you advise on steps to investigate why this user can execute the app (e.g., logs, audits, or configuration checks)?