Hotfix 2 for AGPM 4.0 SP3 allows you to keep custom Read permissions
We released a silent update to AGPM 4.0 SP3, last september. Find it here: https://support.microsoft.com/en-us/kb/3174540. It is also slipstreamed in the latest MDOP release. The update is a change in functionality regarding permission on GPO's. Let me quote it for you. The old behavior, always tripping up people that are new to AGPM:
If you want to change permissions on a Group Policy object that's controlled in Advanced Group Policy Management (AGPM), you first check out the policy in AGPM, and then you edit the permissions on the Security tab of the policy object. For example, you add the Read only permission to Authenticated Users. To save your changes you then check in the policy in AGPM. However, when you view the Security tab on the policy, you see that your changes were not saved as expected .
With this update we introduce a new regkey called OverrideRemovePermissionsWithoutReadandApply which does the following. Quoting again:
When OverrideRemovePermissionsWithoutReadandApply is set to 1, any change to permissions will be saved after the policy is checked in to AGPM.
This seems like great new functionality giving you options that you did not have before. However, my testing revealed that it does not work this way. Not all permissions are saved: it turns out that only "read" permissions are preserved, and all "write" permissions are stripped. Note that the permission "apply group policy" was already preserved in the old situation because GPO filtering was always supported in AGPM.
So what the update really does is to allow custom read permissions for individual GPOs. I'm not quite sure why you would want to do this, although I was assured that this update is a direct result from a Design Change Request (DCR) by a customer.
I suppose it might come in handy if you are fighting some corner case consequences of our famous update ms16-072 and its remediation described in an important blog over at askds. The issue here is that after applying ms16-072 you need to grant the computer object read permissions on all user-targeted GPOs. The normal trick is to just add Authenticated Users (which was the default anyway) or Domain Computers with read permissions. AGPM allows this by modifying the Production Delegation settings. If this is somehow too coarse, you could resort to individual GPO permissions using the functionality in this new KB for AGPM.