none
Editor and Approver accounts are added to delegation with read after modifying GPO's RRS feed

  • Question

  • Administer a multi-tenant AD and need the possibility to keep custom read permissions.

    Have set the theOverrideRemovePermissionsWithoutReadAndApply to 1 (https://blogs.technet.microsoft.com/389thoughts/2016/10/26/hotfix-2-for-agpm-4-0-sp3-allows-you-to-keep-custom-read-permissions/) to keep custom read permissions.

    I’m struggling with the following issue:

    After Checking out, doing changes, checking in and deploying GPO to production, the user that performed the operation has their user account stuck with “read” permission to the deployed GPO.

    The same happens to a user with editor rights. The moment it gets approved by the Approver, the editor account is set under delegation with read.

    In the following screenshot I have done three edits and the result is this:

    Just imagine if 100 different administrators would make changes to this GPO.

    I tried to create a custom group to grant the users access via the CustomersGroupPolicyRead group. This did nothing. 

    I could ofc Check out, Find the [AGPM] gpo under Group Policy objects, edit the delegation settings (remove my account), Check in and deploy to production. However this would be less then ideal. 


    Tuesday, November 6, 2018 2:56 PM