Changes to Group Policy object permissions through AGPM are ignored
This article provides a workaround for an issue where changes to Group Policy object permissions that's controlled in Advanced Group Policy Management (AGPM) aren't saved as expected.
Applies to: Windows Server (All supported versions), Windows client (All supported versions)
Original KB number: 3174540
Symptoms
To change permissions on a Group Policy object that's controlled in AGPM, you first check out the policy in AGPM, and then you edit the permissions on the Security tab of the policy object. For example, you add the Read only permission to Authenticated Users. However, after you check in the policy to save your changes, and then you view the Security tab on the policy, you see that your changes are not saved as expected.
Cause
This behavior is by design in AGPM 4.0 Service Pack 3 (SP3) and earlier versions. To add permissions to newly created Group Policy objects, we recommend to that you use the Production Delegation tab in AGPM.
Workaround
To work around this issue, follow these steps:
Install the Microsoft Desktop Optimization Pack March 2017 Servicing Release on the AGPM server.
Set the following registry key and values on the AGPM server.
- Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Agpm - Value name: OverrideRemovePermissionsWithoutReadAndApply
- Value type: String REG_SZ
- Value data: 1
- Path:
Restart the AGPM server.
If OverrideRemovePermissionsWithoutReadandApply is set to 1, read permissions are saved after the policy is checked in to AGPM, but write permissions are removed.
If OverrideRemovePermissionsWithoutReadAndApply is not set or is set to any value other than 1, AGPM behaves in the way that's described in the Symptoms section.
References
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for