I'm trying to remove the capability to add VM's to my distributed port groups that I want to use solely for VMKernel type traffic:
Anyone know how to do this? Looked around all the settings and documentation but can't find the way.
Not 100% if there is another way, but you may try configure the number of ports in your management port group to the exact number of ports you're using to your VMkernel interfaces, this way users will not be able to add virtual machine to this port group since there is no free port available.
my answer is not going to be much different then the one you got from Richardson.
So Ideally, I would try to control it using fixed - static port binding using same number of ports you need for VMkernel ports.
also setup permissions accordingly so only few people can see/use that port group, others don't have permission.