How do I remove a group policy without access to the domain (controller)?

I've got a (WS2012-R2) domain controller and a set of (WS2012-R2) servers that are member of the domain. I accidentally added a group all administrators are member of to the Group Policy "Deny logon access locally", "Deny logon as service", "Deny remote access" and "Deny network access". This resulted in me and all other administrators (even the built-in account) being locked out of the domain controller.

Is there a way to regain access to the server by removing the GPO or by removing an admin account from the group that has been denied?

Solution 1:

Two thoughts come to mind.

You could, conceivably, use a boot CD to access the domain controller while it's offline and manually edit or delete the offending GPO - a domain's GPOs exist under the SYSVOL folder in the file system on domain controllers, and are applied as registry settings, both of which are accessible from a Boot CD - however, this would either be undone by replication or would cause domain replication errors as soon as the domain controller you did this on connected to the other domain controller(s) in the domain. (I'm making the assumption here that you do have more than one domain controller in your domain, as you should... if you only have the one, this wouldn't be a bad approach).

The other approach that comes to mind is to enter Directory Services Restore Mode and perform an authoritative restore from a backup that predates this GPO. (And this too, relies on the assumption that you're doing as you should do, and have backups to restore from.)

Solution 2:

I haven't actually tried this. (Sorry.) I'm also assuming that RSAT won't work because of "deny remote/network access." (If you haven't tried this, it's worth a shot, but I'm not optimistic.)

Perhaps you could create a new administrator account with a Hiren's Boot CD and use that account to edit the policy.