Today I wrote on the Group Policy team blog about AGPM 3.0 and how its not preserving all the Deny ACE's into the AGPM archive that are applied to the GPO's that you might have set in GPMC. If youre interested even in a side discussion in GP security filtering, I wrote all about it there.
it would be nice if AGPM alerts me when it changes anything (deny read ACE),
it would be nice to control the security filtering for a GPO in the AGPM direct, now I have still to use the GPMC to do it,
some more documentation for the AGPM 3.0 would be very welcome, too.