Changes to Group Policy object permissions through AGPM are ignored

Symptoms
If you want to change permissions on a Group Policy object that's controlled in Advanced Group Policy Management (AGPM), you first check out the policy in AGPM, and then you edit the permissions on the Security tab of the policy object. For example, you add the Read only permission to Authenticated Users. To save your changes you then check in the policy in AGPM. However, when you view the Security tab on the policy, you see that your changes were not saved as expected.
Cause
This behavior is by design in AGPM 4.0 Service Pack 3 (SP3) and earlier versions. To add permissions to newly created Group Policy objects, we recommend to that you use the Production Delegation tab in AGPM.
Workaround
To work around this issue, set the following registry key and values on the AGPM server:

Path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Agpm
Setting OverrideRemovePermissionsWithoutReadAndApply
Data Type String REG_SZ
Setting 1

When OverrideRemovePermissionsWithoutReadandApply is set to 1, any change to permissions will be saved after the policy is checked in to AGPM. 

When OverrideRemovePermissionsWithoutReadAndApply is not set or is set to any value other than 1, AGPM behaves in the way that's described in the "Symptoms" section.

Important After you set this registry key, you must also apply the hotfix in the following Microsoft Knowledge Base article:

3168628 September 2016 servicing release for Microsoft Desktop Optimization Pack
More information
For more information about Microsoft Advanced Group Policy Management (AGPM), see the following resources:

Properties

Article ID: 3174540 - Last Review: 10/04/2016 23:57:00 - Revision: 4.0

Microsoft Advanced Group Policy Management 4.0 Service Pack 3

  • KB3174540
Feedback