AGPM Access Denied

Question

I need to grant a user edit rights to a single GPO through AGPM. I selected the GPO in Change Control, Controlled tab and then I added the user and gave the user Editor role. When the user opens the GPMC and selects Change Control he gets the following error.

Could not retrieve the list of controlled GPOs.

The following error occurred:
You do not have sufficient permissions to perform this operation.
Microsoft.Agpm.AccessDeniedException (80070005)

If I grant the user Editor role through the Domain Delegation tab then the user has no issues but it also gives that user editor rights to GPOs that he should not have access.

Answer 1

Per MS documentation

"To delegate read access to Group Policy administrators who use AGPM, you must grant them List Contents as well as Read Settings permissions. This enables them to view GPOs on the Contents tab of AGPM. Other permissions must be explicitly delegated."

This is why setting the user as a Reviewer in the Domain and then grant Editor role on the individual GPO. The minimum rights required to open the archive is List Contents and Read Settings in Domain Delegation.

Answer 2

I opened a support request with MS and after a few weeks they determined that AGPM is not supported on Windows Server 2016 and I need to upgrade my AGPM servers to Server 2019 for it to function properly.

In the meantime, I've developed my own work around. It is not ideal but it works.

I can set the user that needs edit access to an individual GPO as a Reviewer in the Domain and then grant Editor role on the individual GPO. Of course, this grants read access to all GPOs in the Domain. Definitely not ideal when you are trying to secure GPOs by least privilege. It will work until the time that a GPO is deployed that needs to be hidden from everyone with the exception of a specific security group.