Domain – Locked out of DC and domain admin accounts via GPO

active-directorydomaindomain-controllergroup-policy

I'm currently locked out of my domain controller and unable to log onto domain computers using accounts who are members of the domain admins group due to the incorrect application of a GPO at the top level. There are no other DCs in the domain. I have tried removing the GPO with RSAT on one of the workstations, but it is also disabled by this GPO. How can I remove this GPO and regain control of my domain? I have access to the DC through DSRM, but I'm not sure how I can use this since AD and Group Policy appear to be disabled when booting into DSRM. Unfortunately, we do not have a recent backup of AD I could restore to as we just recently migrated to a new DC.

Any ideas are greatly appreciated as I'm currently staying overnight at work until I get this resolved. Thanks all.

Best Answer

After many hours I was able to regain access to the DC. What ended up working for me was the following. Keep in mind I had access to the DSRM login on the DC and basic domain network PowerShell commands.

  1. Identify GPO GUID using PowerShell on a domain workstation.
    • (Import-Module GroupPolicy, Get-Gpo -all, note the GUID of the GPO)
  2. Boot into DSRM using local administrator account.
  3. Locate GPO by GUID in SYSVOL folder.
    • (C:\Windows\SYSVOL\domain\Policies{YOUR_GUID_HERE}
  4. Navigate to GptTmpl.inf file in GPO folder structure.
    • (..\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf)
  5. Make changes to the policy as needed. For me it was removing certain users from the "SeDenyInteractiveLogonRight", although I added them to the related 'allow' right as well for good measure. Save this file.
  6. Go back up to the root policy GUID folder and locate the GPT.ini file.
  7. Edit (increment) the version number here. It's easiest to add a 0 to the end of the version number, or at least add 10. Group Policy will check this number to determine if the policy should be re-processed.
  8. Reboot the DC and, assuming you're able to login, disable/edit/delete the GPO and do a gpupdate /force from the command prompt to make sure the changes propagate quickly.

There were some lingering effects of the GPO that had to be cleaned up with counter-GPOs. For example, WID lost the ability to logon as a service because that right was defined but blank in the problem GPO. As I discovered these effects I wrote one-time GPOs to correct them and pushed them across the domain.

Hope this helps someone and thanks for all the suggestions.

Related Topic