Cannot restore a GPO - Access Denied

Open adsiedit.msc and check permissions on
CN=Policies,CN=System,DC=yourdom,DC=yourdomsuffix

Thanks for the reply! What permissions exactly should they have?

This doc https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/agpm/restore-a-deleted-gpo says:
•By default, you must be an Editor, an Approver, or an AGPM Administrator (Full Control) to perform this procedure.Specifically, you must have List Contents and either Edit Settings, Deploy GPO, or Delete GPO permissions for the GPO.

They have Edit settings listed in the GMPC. They have List on the container itself looking at the ACL. We do not use AGPM which I believe the rest applies to.

Did you check the permissions by now? How are they?
If I am not mistaken, for restoring, you need write permissions on that container policies.
I'll show you a screenshot:

Yes I looked that have "Write all properties".

Give them full access for a test and retry. Please mind that even permissions are replicated in AD, so allow a replication cycle to pass before you try (half a minute, or so).

I would be surprised if Full Control doesn't give them the rights to restore, but I am trying to give them the least number of permissions they need. So I was looking for the exact permission I would need to delegate to restore a GPO.

Please understand how troubleshooting works and do this test. It is a test, it is not a recommended setting. Just a test.

Out of interest, how frequent do they restore a GPO and for what reason?

This is Powershell delegation task I schedule

$grp = "DG-FullControlGPOs"
$level = "GpoEditDeleteModifySecurity"
$gpos = get-gpo -All
foreach ($gpo in $gpos)
{
	$gpname = $gpo.DisplayName	
	set-GPPermissions -Name $gpname -permissionlevel $level -TargetName $grp -targettype Group
}

Select allOpen in new window

@mcKnife Please refrain from insults. I understand how troubleshooting works, but at the same time I am on this site asking for someone who knows the answer off hand. If you do not know that is fine and I appreciate your input, but don't trash me please. thanks.

I was in no way trying to insult you and I have no idea what makes you think I did.
I had the idea that the permissions of that container need to be checked and the fastest way to find out if those were indeed responsible (and alone responsible) was this test. That's all - please accept my apologies although it was not my intention in the first place.

@Shaun Vermaak. Basically this is the desktop group that manages Desktop based GPOs. They are not backing up all of them, they simple back up a particular GPO so they can edit it using PowerBroker tools, then they restore it on top of the old. They apparently cannot edit it directly in the GPMC. Somewhat of an odd approach and one of the reason I am sure they were added to Domain Admins in the past.

I will check out your PowerShell ! Thanks.

For the record: In my test, granting full acess allowed to restore GPOs. Granting only write permissions did not suffice.

Be aware that restoring a GPO that you may modify the files of beforehand entitles you to do pretty much anything in a domain, so be very careful with this delegation.