Locked out of DC and domain admin accounts via GPO
After many hours I was able to regain access to the DC. What ended up working for me was the following. Keep in mind I had access to the DSRM login on the DC and basic domain network PowerShell commands.
- Identify GPO GUID using PowerShell on a domain workstation.
- (Import-Module GroupPolicy, Get-Gpo -all, note the GUID of the GPO)
- Boot into DSRM using local administrator account.
- Locate GPO by GUID in SYSVOL folder.
- (C:\Windows\SYSVOL\domain\Policies{YOUR_GUID_HERE}
- Navigate to GptTmpl.inf file in GPO folder structure.
- (..\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf)
- Make changes to the policy as needed. For me it was removing certain users from the "SeDenyInteractiveLogonRight", although I added them to the related 'allow' right as well for good measure. Save this file.
- Go back up to the root policy GUID folder and locate the GPT.ini file.
- Edit (increment) the version number here. It's easiest to add a 0 to the end of the version number, or at least add 10. Group Policy will check this number to determine if the policy should be re-processed.
- Reboot the DC and, assuming you're able to login, disable/edit/delete the GPO and do a gpupdate /force from the command prompt to make sure the changes propagate quickly.
There were some lingering effects of the GPO that had to be cleaned up with counter-GPOs. For example, WID lost the ability to logon as a service because that right was defined but blank in the problem GPO. As I discovered these effects I wrote one-time GPOs to correct them and pushed them across the domain.
Hope this helps someone and thanks for all the suggestions.
I don't know if this will work for you but I figured it was worth posting as a "possible answer".
Some time ago while reading around the Internet I came across http://www.nobodix.org/seb/win2003_adminpass.html . According to that article while logged in in "directory services recovery mode" you can set up a "service" to run a command. Then after rebooting back into normal mode the service will run and execute your command as the "system" user.
I don't know if this technique will still work on more modern versions of Windows and I don't know if it will work for the commands you need (which seem more complex than a simple password reset) but it might be worth a shot.
Another user has a similar thread here on serverfault: How do I remove a group policy without access to the domain (controller)?
The asker never selected a winning answer, but the suggested methods include (in no particular order):
- Deleting the offending GPO from the SYSVOL folder (
\\example.com\SYSVOL\Policies
orC:\Windows\SYSVOL\sysvol\example.com\Policies
) Sort by date modified and delete the new one. - Use PowerShell's Active Directory module to Remove-ADGroupMember to get your account out of the banned group (assuming the GPO applies to a group other than Domain Admins)
- Manually editing the group policy's .inf and then deleting the registry settings from the domain controller https://serverfault.com/a/795162/337307
Good luck, I hope one of these methods will work for you!
I would say you are royally screwed here. My one major screw up in my tech career was something similar - I accidentally disabled every account in the domain, including all admin accounts (my own included). fortunately, as a child domain I was able to get someone with an Enterprise Admin account to enable my account, after which I was able to reverse what I did.
If you don't have this option, you will need to use DSRM to restore your admin account. You've mentioned that you migrated from another DC - if this is the case, and the DC is still in the domain and still a DC, make sure you understand the difference between authoritative and non-authoritative restores.
Restoring your own admin account (or whichever other admin accounts are in whatever backups you have access to) will let you undo whatever else has been done.