You should have a look at this document:
http://www.vmware.com/files/pdf/VMware-DG-ThinApp-AppRegistration-EN.pdf
Role-Based Access to Applications
The process of deploying virtualized applications offers administrators control and flexibility over which machines and users receive either the application packages or access to the packages. Utilizing Active Directory or an alternative software deployment solution for distribution allows an organization to use the existing processes and controls. In addition to these organizational controls, VMware ThinApp allows an administrator to embed access control into the package by utilizing the PermittedGroup function which can be specified during the Setup Capture procress or amended afterward in the Package.Ini file. This access control mechanism is obfuscated from the end user when the package is built so it is impossible to identify or remove before the application is launched. In this way, the access control travels with the package if it is moved between devices after deployment. This mechanism can also be used when packages are hosted centrally on a file share as a secondary control in addition to file share permissions. To remove access to an application the administrator simply removes the user from the Active Directory group and Thinreg will automatically unregister that application for the user.
Active Directory Permitted Groups
You can control access to applications using Active Directory groups. When the administrator specifies PermittedGroups in the setup capture process or manually places the SIDS in the package.ini file, they are embedded into the package during the build process. The PermittedGroups entry in the Package.ini restricts usage of a package to a specific set of Active Directory users and provides the administrator a way to customize the error message to the user if they are not allowed to launch the application. For a desktop that is offline, the PermittedGroups function will utilize cached credentials to determine if the user has permission to launch the application.
Login Script-based
Implementation of the Thinreg executable can be incorporated into an existing login script with standard methods such as .bat, WSH, KIX, or vbScript. See example below:
%logonserver%\netlogon\thinreg.exe /Q \\company.com\applications\*.exe
Unless you specify the parameter /k [/keepunauthorized], the application will register only for the permitted groups' users.