You need to have at least "read" and "create" access to a managed domain in order to create any objects in the version control root.
If you do not want the GPOADmin user to be able to traverse the live environment, but work within the version control root only, this "Read" access will allow them to.
You can remove access to the live environment node completely.
Right-click the "Live Environment" node and select "Properties",
By default, all users can view this.
You will need to create a group within Active Directory that only includes users who should be able to view this section.
Add this group under "Security" and select "OK".
After reconnecting, the users that are not in this group will no longer be able to browse the "Live Environment" node.
They will still be able to create, edit and delete GPOs from within version control.
