Hello,

In AGPM, as the Admin that has Full Control, I assigned a new controlled GPO to a group which has the 'Editor' permissions.  When a user account who is a member of that group goes into AGPM to edit the GPO, they get the access denied error and cannot see any GPOs.  Am I missing something here?  Why cant this user who was assigned the 'Editor' permssions see the controlled GPOs and edit the specific GPO they have permissions to edit?  Thanks in advance.

I think I figured out the issue, so could somebody please validate my findings as follows:

The group I assigned to the GPO which had 'Editor' permissions was not delegated any permissions in the 'Domain-Level role-based delegation' tab.  When a group is assigned a role in the 'Domain-Level role-based delegation' tab, does the group now receive permissions/access to the archive?

When I assigned the 'editor' role to the group I assigned to the GPO in the 'Domain-Level role-based delegation' tab, now the user account who is a member of that group could edit the GPO.

So can someone validate the points above and the fact that any role assigned to a group on the 'Controlled' tab, and the group is associated with a GPO must also go through the same role assignment in 'Domain-Level role based delegation' in order for the permissions to take effect.  Thanks in advance.

Hi,

AGPM provides comprehensive, easy-to-use role-based delegation for managing access to GPOs in the archive. Domain-level permissions enable AGPM Administrators to provide access to individual domains without providing access to other domains. GPO-based delegation enables APGM Administrators to provide access to specific GPOs without providing domain-wide access.

So to create delegated permissions within the AGPM environment, you have two choices. First is on Domain-level delegation tab, you can configure delegation to control all GPOs within the AGPM repository at a specified level. The second is on GPO level.

To make changes to a controlled GPO, you must first check out a copy of the GPO form the archive. When you have finished modifying the GPO, you need check it into the archive again.

For more information please refer to following MS articles:

I must have been doing something wrong cause when as an admin with Full Control, I add a group with the right permissions to the GPO and that group has not been 'delegated' through the 'Domain Delegation' tab, the permissions work fine and the user account can read and edit the GPO.

If when you open the GPMC and select the Change Control node you get an error saying "Could not retrieve a list of controlled GPOs. You do not have sufficient permissions to perform this operation" then you're probably logged on to your admin workstation using a different user account than the one you used earlier to install the AGPM Server component on your domain controller. Be sure to use the same admin-level user account for both walkthroughs above.  We'll learn how to delegate AGPM roles in a later article of this series

http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Advanced-Group-Policy-Management-Part1.html