I have already successfully managed GPO permissions with scripts, but I face one specific situation where I get error -2147024846 when commiting the changes I made to the security object.

Following situation:
Customer has used an account on GPOs using the "Advanced" button on GPMC. There he selected "Full Control" which means every single permission will be applied to that account. Interesting: The regular GPMC delegation view (NOT under Advanced) splits that up into two permissions: "Apply" (to be seen under "Scope" tab) and "Edit Settings, delete, modify security" (to be seen under "delegation" tab).
The same apperas when reading the permissiosn via script (=enumerating the GetSecurityInfo result):
There are 2 different permissions for that account (Apply + Edit / Delete).
The problem: I cannot remove these permissions via script: Whenever I call SetSecurityInfo it fails with error -2147024846.
Various tests proved that it does not have to do with a special GPO or that special account. I can reproduce it withe every new GPO and with every account (even in different domains).
The point is the "Full Control" permission that has been applied using the "Advanced" button in GPMC (OK, not a good idea anyway, but the situation is the way it is).

I tried two ways:
1. using the "Remove" method of "IGPMSecurityInfo" providing the permission object
2. using the "RemoveTrustee" method of "IGPMSecurityInfo" providing the SID of the account

I am running out of ideas, so I would be happy about any hint how to overcome that situation.

Thanks a lot.

Pago