As we need to handle Desktop Entitlements and RDP access to VMs differently, i guess having a automation in place to automatically give RDP access to the desktop sources once they are entitled or at least scan the entitlements and then giving the RDP on respective VMs will ease administrator life a we just need to concentrate on working through VDM Administrator console and don't worry about giving RDP access explicitly on VMs. We thought of giving RDP by default to all users in domain and allow only entitled users but this leads to other administrative overhead w.r.t support. Did anyone try automating this stuff?
Haven't done that but you have to things to think about:
The entitlements are stored in the ADAM which you can access with ADSI/LDAP. The GPO's are stores in the AD, or you will need to set registry keys on the desktops.
Changes to the ADAM are not supported when directly connecting via scripts or something so be careful here. Import/Export of the information could be done with the vdmexport tools which works with ldif files. You could give that a try.
We would like to dynamically manage RDP access based on entitlements so if a desktop source is found in LDAP and has defined entitlement list then we can have a script which periodically verifies the Remote Desktop Users group for membership and compare the list and add the missing entries in Remote Desktop Group. Guess GPO might not be possible here. Where does it store the entitlement information in ADAM? I couldn't find it using dsa.msc or ldap utility,