This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 5%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
I need to grant a user edit rights to a single GPO through AGPM. I selected the GPO in Change Control, Controlled tab and then I added the user and gave the user Editor role. When the user opens the GPMC and selects Change Control he gets the following error.
Could not retrieve the list of controlled GPOs.
The following error occurred:
You do not have sufficient permissions to perform this operation.
Microsoft.Agpm.AccessDeniedException (80070005)
If I grant the user Editor role through the Domain Delegation tab then the user has no issues but it also gives that user editor rights to GPOs that he should not have access.
Per MS documentation
"To delegate read access to Group Policy administrators who use AGPM, you must grant them List Contents as well as Read Settings permissions. This enables them to view GPOs on the Contents tab of AGPM. Other permissions must be explicitly delegated."
This is why setting the user as a Reviewer in the Domain and then grant Editor role on the individual GPO. The minimum rights required to open the archive is List Contents and Read Settings in Domain Delegation.
Upon further research I discovered that one possible issue was that Changes to Group Policy object permissions through AGPM are ignored. So I made the registry changes below. It's not exactly the same issue but I thought it would be worth a try.
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Agpm
Value name: OverrideRemovePermissionsWithoutReadAndApply
Value type: String REG_SZ
Value data: 1
Now the user gets the following error and if you cancel from the error you get Archive no found.
Failed to read the domain configuration information.
The following error occurred:
The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
System.ServiceModel.FaultException (80131501)
I believe the underlying issue is still a permissions issue to the Archive
AGPM Client Log
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Closing AGPM Server connection if open...
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Locking AGPM Server connection to make changes...
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Server write lock acquired.
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Releasing AGPM Server write lock...
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Closing AGPM Server connection if open...
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Locking AGPM Server connection to make changes...
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Server write lock acquired.
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Releasing AGPM Server write lock...
2020-12-14 15:35:51:3268232 [pid=5360,tid=4] [Verbose] Entering AgpmClient.Reconnect()
2020-12-14 15:35:51:4597195 [pid=5360,tid=6] [Verbose] Locking AGPM Server connection to make changes...
2020-12-14 15:35:51:4597195 [pid=5360,tid=6] [Verbose] Server write lock acquired.
2020-12-14 15:35:51:4753448 [pid=5360,tid=6] [Verbose] Locking AGPM Server connection to make changes...
2020-12-14 15:35:51:4753448 [pid=5360,tid=6] [Verbose] Server write lock acquired.
2020-12-14 15:35:51:4909733 [pid=5360,tid=6] [Verbose] Releasing AGPM Server write lock...
2020-12-14 15:35:51:4909733 [pid=5360,tid=6] [Verbose] Locking AGPM Server connection to make changes...
2020-12-14 15:35:51:4909733 [pid=5360,tid=6] [Verbose] Server write lock acquired.
2020-12-14 15:35:51:5065968 [pid=5360,tid=6] [Verbose] Entering Spn.Generate().
2020-12-14 15:35:51:5065968 [pid=5360,tid=6] [Info] Raw server DNS host name or IP address = AGPMSERVER
2020-12-14 15:35:51:5222231 [pid=5360,tid=6] [Info] Resolved server DNS host name = AGPMSERVER
2020-12-14 15:35:51:5222231 [pid=5360,tid=6] [Info] SPN = AgpmServer/AGPMSERVER
2020-12-14 15:35:51:5222231 [pid=5360,tid=6] [Verbose] Leaving Spn.Generate().
2020-12-14 15:35:51:7097273 [pid=5360,tid=6] [Verbose] Releasing AGPM Server write lock...
2020-12-14 15:35:51:7097273 [pid=5360,tid=6] [Verbose] Releasing AGPM Server write lock...
2020-12-14 15:35:51:7097273 [pid=5360,tid=4] [Verbose] Leaving AgpmClient.Reconnect()
2020-12-14 15:35:51:7253566 [pid=5360,tid=4] [Verbose] Entering AgpmClient.SetDomainController().
2020-12-14 15:35:51:7253566 [pid=5360,tid=4] [Verbose] { domain=ADDEV.dev., domainController= }
2020-12-14 15:35:51:7253566 [pid=5360,tid=4] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:7253566 [pid=5360,tid=4] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:7566047 [pid=5360,tid=4] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:7566047 [pid=5360,tid=4] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:7566047 [pid=5360,tid=4] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:7566047 [pid=5360,tid=4] [Verbose] Leaving AgpmClient.SetDomainController().
2020-12-14 15:35:51:7722340 [pid=5360,tid=10] [Verbose] Entering AgpmClient.GetVaultSecurityDescriptor().
2020-12-14 15:35:51:7878554 [pid=5360,tid=10] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:7878554 [pid=5360,tid=10] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Leaving AgpmClient.GetVaultSecurityDescriptor().
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Entering AgpmClient.GetDomainSecurityDescriptor().
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Leaving AgpmClient.GetDomainSecurityDescriptor().
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Entering AgpmClient.GetDomainInfo().
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] { domain=ADDEV.dev.com }
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:8347318 [pid=5360,tid=10] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:8347318 [pid=5360,tid=10] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:8347318 [pid=5360,tid=10] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:8347318 [pid=5360,tid=10] [Verbose] Leaving AgpmClient.GetDomainInfo().
2020-12-14 15:35:51:8503576 [pid=5360,tid=10] [Verbose] Entering AgpmClient.GetProductionGPOSecurityDescriptor().
2020-12-14 15:35:51:8503576 [pid=5360,tid=10] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:8503576 [pid=5360,tid=10] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:8640391 [pid=5360,tid=10] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:8640391 [pid=5360,tid=10] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:8650391 [pid=5360,tid=10] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:8660388 [pid=5360,tid=10] [Verbose] Leaving AgpmClient.GetProductionGPOSecurityDescriptor().
2020-12-14 15:35:51:8670437 [pid=5360,tid=10] [Verbose] Entering AgpmClient.GetPurgeLimit().
2020-12-14 15:35:51:8690399 [pid=5360,tid=10] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:8700395 [pid=5360,tid=10] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:8713899 [pid=5360,tid=10] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:8713899 [pid=5360,tid=10] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:8713899 [pid=5360,tid=10] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:8713899 [pid=5360,tid=10] [Verbose] Leaving AgpmClient.GetPurgeLimit().
2020-12-14 15:35:51:8870099 [pid=5360,tid=11] [Verbose] Entering AgpmClient.GetControlledGPOs().
2020-12-14 15:35:51:8870099 [pid=5360,tid=11] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:8870099 [pid=5360,tid=11] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:9182641 [pid=5360,tid=11] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:9182641 [pid=5360,tid=11] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:9182641 [pid=5360,tid=11] [Verbose] OverallStatus is failure code: -2147024891
2020-12-14 15:35:51:9495108 [pid=5360,tid=11] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:53:9172368 [pid=5360,tid=11] [Error] Error in AgpmClient.GetControlledGPOs(). Microsoft.Agpm.AgpmStatusMessageException: You do not have sufficient permissions to perform this operation.
at Microsoft.Agpm.GuiErrorHandler.HandleNonCommunicationException(IWin32Window parentWindow, Exception e, String errorMessage, Boolean rethrowException)
at Microsoft.Agpm.GuiErrorHandler.HandleNonCommunicationException(IWin32Window parentWindow, Exception e, String errorMessage)
at Microsoft.Agpm.AgpmClient.SendMessageT
at Microsoft.Agpm.AgpmClient.Microsoft.Agpm.IGPOVaultClient.GetControlledGPOs(String domain)
2020-12-14 15:35:53:9328608 [pid=5360,tid=11] [Verbose] Leaving AgpmClient.GetControlledGPOs().
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Hi,
Thank you for posting in our forum
What are the configurations on AGPM and GPMC? From your description, this is a permission issue.
You can cancel the GPMC permission first, and then only leave the GPMC permission. Check if there are other errors
Hope this information can help you
Best wishes
Vicky
It's absolutely a permissions issue. For some reason adding a role to an individual GPO is not giving it the access to the Archive.
I'm not sure wh
at you are asking for configuration?
I have a single AGPM Server that is using a service account. That service account is a member of AGPM-Admin AD Group. That AGPM-Admin AD Group is set as the archive owner and has full rights to C:/Windows/Temp
I have 4 different AD Groups. Theses groups work as expected. Groups are configured as follows in the Domain Delegation
AGPM-Admin = Full
AGPM-Approvers = Reviewer, Approver
AGPM-Editors = Reviewer, Editor
AGPM-Reviewer = Reviewer
AGPM Server and Client are installed on a single server with the archive on that server.
The user that user that needs to edit the single GPO has been granted Reviewer, Editor on that GPO. The GPO is not in production. It is only in the Archive as of now.
I don't know what you mean when you say "You can cancel the GPMC permission first, and then only leave the GPMC permission".
Errors in the AGPM Server log
[Error] IAgpmServer.GetDomainInfo(): Do not have permissions for READ_DOMAIN_CONFIG operation
[Error] IAgpmServer.GetBackupPurgeLimit(): Do not have permissions for GET_DOMAIN_BACKUP_PURGE_LIMIT operation
[Error] [Contoso.com] Msg:Error in IAgpmServer.GetControlledGPOs(). Microsoft.Agpm.AccessDeniedException: You do not have sufficient permissions to perform this operation.
at Microsoft.Agpm.AgpmServer.GetControlledGPOs(IAgpmMessage agpmMessage, AgpmResult& agpmResult)
Domain Delegation works however GPO delegation does not
This seems to be an Archive permissions issue. I tried creating a new GPO in the Archive only and granted a single user editor rights to the individual GPO. When the individual user opens AGPM they receive:
Could not retrieve the list of controlled GPOs.
The following error occurred:
You do not have sufficient permissions to perform this operation.
Microsoft.Agpm.AccessDeniedException (80070005)