I'm currently locked out of my domain controller and unable to log onto domain computers using accounts who are members of the domain admins group due to the incorrect application of a GPO at the top level. There are no other DCs in the domain. I have tried removing the GPO with RSAT on one of the workstations, but it is also disabled by this GPO. How can I remove this GPO and regain control of my domain? I have access to the DC through DSRM, but I'm not sure how I can use this since AD and Group Policy appear to be disabled when booting into DSRM. Unfortunately, we do not have a recent backup of AD I could restore to as we just recently migrated to a new DC.
Any ideas are greatly appreciated as I'm currently staying overnight at work until I get this resolved. Thanks all.
Best Answer
After many hours I was able to regain access to the DC. What ended up working for me was the following. Keep in mind I had access to the DSRM login on the DC and basic domain network PowerShell commands.
There were some lingering effects of the GPO that had to be cleaned up with counter-GPOs. For example, WID lost the ability to logon as a service because that right was defined but blank in the problem GPO. As I discovered these effects I wrote one-time GPOs to correct them and pushed them across the domain.
Hope this helps someone and thanks for all the suggestions.