The Permission for vsphere.local/Administrator and vsphere.local/vpxd-extension are inerited from global level permission and I belive you modified them at VC root level and the issue is occuring due to vsphere.local/vpxd-extension user permission are set to read-only.
But you can still overcome this issue by following below steps.
1) Take a back-up of your existing VC setup(important)
2) Restart your VPXD service(vmware-vpxd).
3) Login to WebClient as email@example.com user.(this user still have admin permission)
4) Go to global permissions page.
5) Select user "vsphere.local/vpxd-extension-"
6) Delete permission.
7) In Global permission page only again add the administrative role permission for "vsphere.local/vpxd-extension-" user.
8) Comeback to VC level permission page, now you should be able to Add/Modify the permissions.
Please remember you must take a backup of your VC setup before performing above steps if something goes wrong while performing above steps you can always revert to previous state.
also I think if you restart your VC for some reason with current state you are no more able to see any permissions.
Long story short,
I was getting this error, couldn't add any AD users/groups to objects in vCenter through permissions. Rebooted the PSC, yada yada but nothing worked. I could add local users/groups to objects so knew it had to be something with AD. Adding a user/group from AD worked all the way up until the end and then it would fail with the error mentioned. This was misleading because I could search AD and find the user/group I wanted to add. So I thought AD was working. But I removed that AD identity source and added it back in and everything worked fine after that. It's almost like it was "half" working. You could search it and find users and groups but it couldn't verify the login for these users.
Anyhoo....the fix here was basically "turn it off and back on again"....but for AD.