question

BriggsDane avatar image
0 Votes"
BriggsDane asked ·

AGPM Access Denied

I need to grant a user edit rights to a single GPO through AGPM. I selected the GPO in Change Control, Controlled tab and then I added the user and gave the user Editor role. When the user opens the GPMC and selects Change Control he gets the following error.

Could not retrieve the list of controlled GPOs.

The following error occurred:
You do not have sufficient permissions to perform this operation.
Microsoft.Agpm.AccessDeniedException (80070005)


If I grant the user Editor role through the Domain Delegation tab then the user has no issues but it also gives that user editor rights to GPOs that he should not have access.



windows-group-policy
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BriggsDane avatar image
0 Votes"
BriggsDane answered ·

Per MS documentation

"To delegate read access to Group Policy administrators who use AGPM, you must grant them List Contents as well as Read Settings permissions. This enables them to view GPOs on the Contents tab of AGPM. Other permissions must be explicitly delegated."

This is why setting the user as a Reviewer in the Domain and then grant Editor role on the individual GPO. The minimum rights required to open the archive is List Contents and Read Settings in Domain Delegation.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BriggsDane avatar image
0 Votes"
BriggsDane answered ·

Upon further research I discovered that one possible issue was that Changes to Group Policy object permissions through AGPM are ignored. So I made the registry changes below. It's not exactly the same issue but I thought it would be worth a try.

Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Agpm
Value name: OverrideRemovePermissionsWithoutReadAndApply
Value type: String REG_SZ
Value data: 1

Now the user gets the following error and if you cancel from the error you get Archive no found.


Failed to read the domain configuration information.

The following error occurred:
The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
System.ServiceModel.FaultException (80131501)


I believe the underlying issue is still a permissions issue to the Archive

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BriggsDane avatar image
0 Votes"
BriggsDane answered ·

AGPM Client Log

2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Closing AGPM Server connection if open...
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Locking AGPM Server connection to make changes...
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Server write lock acquired.
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Releasing AGPM Server write lock...
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Closing AGPM Server connection if open...
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Locking AGPM Server connection to make changes...
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Server write lock acquired.
2020-12-14 15:35:20:9090201 [pid=8664,tid=1] [Verbose] Releasing AGPM Server write lock...
2020-12-14 15:35:51:3268232 [pid=5360,tid=4] [Verbose] Entering AgpmClient.Reconnect()
2020-12-14 15:35:51:4597195 [pid=5360,tid=6] [Verbose] Locking AGPM Server connection to make changes...
2020-12-14 15:35:51:4597195 [pid=5360,tid=6] [Verbose] Server write lock acquired.
2020-12-14 15:35:51:4753448 [pid=5360,tid=6] [Verbose] Locking AGPM Server connection to make changes...
2020-12-14 15:35:51:4753448 [pid=5360,tid=6] [Verbose] Server write lock acquired.
2020-12-14 15:35:51:4909733 [pid=5360,tid=6] [Verbose] Releasing AGPM Server write lock...
2020-12-14 15:35:51:4909733 [pid=5360,tid=6] [Verbose] Locking AGPM Server connection to make changes...
2020-12-14 15:35:51:4909733 [pid=5360,tid=6] [Verbose] Server write lock acquired.
2020-12-14 15:35:51:5065968 [pid=5360,tid=6] [Verbose] Entering Spn.Generate().
2020-12-14 15:35:51:5065968 [pid=5360,tid=6] [Info] Raw server DNS host name or IP address = AGPMSERVER
2020-12-14 15:35:51:5222231 [pid=5360,tid=6] [Info] Resolved server DNS host name = AGPMSERVER
2020-12-14 15:35:51:5222231 [pid=5360,tid=6] [Info] SPN = AgpmServer/AGPMSERVER
2020-12-14 15:35:51:5222231 [pid=5360,tid=6] [Verbose] Leaving Spn.Generate().
2020-12-14 15:35:51:7097273 [pid=5360,tid=6] [Verbose] Releasing AGPM Server write lock...
2020-12-14 15:35:51:7097273 [pid=5360,tid=6] [Verbose] Releasing AGPM Server write lock...
2020-12-14 15:35:51:7097273 [pid=5360,tid=4] [Verbose] Leaving AgpmClient.Reconnect()
2020-12-14 15:35:51:7253566 [pid=5360,tid=4] [Verbose] Entering AgpmClient.SetDomainController().
2020-12-14 15:35:51:7253566 [pid=5360,tid=4] [Verbose] { domain=ADDEV.dev., domainController= }
2020-12-14 15:35:51:7253566 [pid=5360,tid=4] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:7253566 [pid=5360,tid=4] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:7566047 [pid=5360,tid=4] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:7566047 [pid=5360,tid=4] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:7566047 [pid=5360,tid=4] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:7566047 [pid=5360,tid=4] [Verbose] Leaving AgpmClient.SetDomainController().
2020-12-14 15:35:51:7722340 [pid=5360,tid=10] [Verbose] Entering AgpmClient.GetVaultSecurityDescriptor().
2020-12-14 15:35:51:7878554 [pid=5360,tid=10] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:7878554 [pid=5360,tid=10] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Leaving AgpmClient.GetVaultSecurityDescriptor().
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Entering AgpmClient.GetDomainSecurityDescriptor().
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:8034843 [pid=5360,tid=10] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Leaving AgpmClient.GetDomainSecurityDescriptor().
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Entering AgpmClient.GetDomainInfo().
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] { domain=ADDEV.dev.com }
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:8191065 [pid=5360,tid=10] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:8347318 [pid=5360,tid=10] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:8347318 [pid=5360,tid=10] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:8347318 [pid=5360,tid=10] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:8347318 [pid=5360,tid=10] [Verbose] Leaving AgpmClient.GetDomainInfo().
2020-12-14 15:35:51:8503576 [pid=5360,tid=10] [Verbose] Entering AgpmClient.GetProductionGPOSecurityDescriptor().
2020-12-14 15:35:51:8503576 [pid=5360,tid=10] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:8503576 [pid=5360,tid=10] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:8640391 [pid=5360,tid=10] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:8640391 [pid=5360,tid=10] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:8650391 [pid=5360,tid=10] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:8660388 [pid=5360,tid=10] [Verbose] Leaving AgpmClient.GetProductionGPOSecurityDescriptor().
2020-12-14 15:35:51:8670437 [pid=5360,tid=10] [Verbose] Entering AgpmClient.GetPurgeLimit().
2020-12-14 15:35:51:8690399 [pid=5360,tid=10] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:8700395 [pid=5360,tid=10] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:8713899 [pid=5360,tid=10] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:8713899 [pid=5360,tid=10] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:8713899 [pid=5360,tid=10] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:51:8713899 [pid=5360,tid=10] [Verbose] Leaving AgpmClient.GetPurgeLimit().
2020-12-14 15:35:51:8870099 [pid=5360,tid=11] [Verbose] Entering AgpmClient.GetControlledGPOs().
2020-12-14 15:35:51:8870099 [pid=5360,tid=11] [Verbose] Waiting for server connection to be ready for processing client requests...
2020-12-14 15:35:51:8870099 [pid=5360,tid=11] [Verbose] Server read lock acquired.
2020-12-14 15:35:51:9182641 [pid=5360,tid=11] [Verbose] Releasing AGPM Server read lock...
2020-12-14 15:35:51:9182641 [pid=5360,tid=11] [Verbose] Entering Common.CheckAgpmResult().
2020-12-14 15:35:51:9182641 [pid=5360,tid=11] [Verbose] OverallStatus is failure code: -2147024891
2020-12-14 15:35:51:9495108 [pid=5360,tid=11] [Verbose] Leaving Common.CheckAgpmResult().
2020-12-14 15:35:53:9172368 [pid=5360,tid=11] [Error] Error in AgpmClient.GetControlledGPOs(). Microsoft.Agpm.AgpmStatusMessageException: You do not have sufficient permissions to perform this operation.
at Microsoft.Agpm.GuiErrorHandler.HandleNonCommunicationException(IWin32Window parentWindow, Exception e, String errorMessage, Boolean rethrowException)
at Microsoft.Agpm.GuiErrorHandler.HandleNonCommunicationException(IWin32Window parentWindow, Exception e, String errorMessage)
at Microsoft.Agpm.AgpmClient.SendMessage[T](AgpmMessageType type, IDictionary`2 properties, String errorMessage)
at Microsoft.Agpm.AgpmClient.Microsoft.Agpm.IGPOVaultClient.GetControlledGPOs(String domain)
2020-12-14 15:35:53:9328608 [pid=5360,tid=11] [Verbose] Leaving AgpmClient.GetControlledGPOs().

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered ·

Hi,
Thank you for posting in our forum
What are the configurations on AGPM and GPMC? From your description, this is a permission issue.
You can cancel the GPMC permission first, and then only leave the GPMC permission. Check if there are other errors
Hope this information can help you
Best wishes
Vicky

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It's absolutely a permissions issue. For some reason adding a role to an individual GPO is not giving it the access to the Archive.
I'm not sure wh
at you are asking for configuration?
I have a single AGPM Server that is using a service account. That service account is a member of AGPM-Admin AD Group. That AGPM-Admin AD Group is set as the archive owner and has full rights to C:/Windows/Temp
I have 4 different AD Groups. Theses groups work as expected. Groups are configured as follows in the Domain Delegation
AGPM-Admin = Full
AGPM-Approvers = Reviewer, Approver
AGPM-Editors = Reviewer, Editor
AGPM-Reviewer = Reviewer

AGPM Server and Client are installed on a single server with the archive on that server.

The user that user that needs to edit the single GPO has been granted Reviewer, Editor on that GPO. The GPO is not in production. It is only in the Archive as of now.


0 Votes 0 ·

I don't know what you mean when you say "You can cancel the GPMC permission first, and then only leave the GPMC permission".

Errors in the AGPM Server log

[Error] IAgpmServer.GetDomainInfo(): Do not have permissions for READ_DOMAIN_CONFIG operation
[Error] IAgpmServer.GetBackupPurgeLimit(): Do not have permissions for GET_DOMAIN_BACKUP_PURGE_LIMIT operation
[Error] [Contoso.com] Msg:Error in IAgpmServer.GetControlledGPOs(). Microsoft.Agpm.AccessDeniedException: You do not have sufficient permissions to perform this operation.
at Microsoft.Agpm.AgpmServer.GetControlledGPOs(IAgpmMessage agpmMessage, AgpmResult& agpmResult)


Domain Delegation works however GPO delegation does not

0 Votes 0 ·
BriggsDane avatar image
0 Votes"
BriggsDane answered ·

This seems to be an Archive permissions issue. I tried creating a new GPO in the Archive only and granted a single user editor rights to the individual GPO. When the individual user opens AGPM they receive:

Could not retrieve the list of controlled GPOs.

The following error occurred:
You do not have sufficient permissions to perform this operation.
Microsoft.Agpm.AccessDeniedException (80070005)

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BriggsDane avatar image
0 Votes"
BriggsDane answered ·

I opened a support request with MS and after a few weeks they determined that AGPM is not supported on Windows Server 2016 and I need to upgrade my AGPM servers to Server 2019 for it to function properly.

In the meantime, I've developed my own work around. It is not ideal but it works.

I can set the user that needs edit access to an individual GPO as a Reviewer in the Domain and then grant Editor role on the individual GPO. Of course, this grants read access to all GPOs in the Domain. Definitely not ideal when you are trying to secure GPOs by least privilege. It will work until the time that a GPO is deployed that needs to be hidden from everyone with the exception of a specific security group.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.