Does QAS honour the "ApplyGroupPolicy” permission when applying Group Policy?
Currently this ACL is ignored, the Group Policy will be applied if the user has "Read" access delegated to them.
Remove the "Read" access for the User or Computer
This issue is tracked under Defect ID 19110.
Issue has been addressed in Authentication Services 4.1. Please refer to the AuthenticationServices_4.1_ReleaseNotes.