Locked out of DC and domain admin accounts via GPO

After many hours I was able to regain access to the DC. What ended up working for me was the following. Keep in mind I had access to the DSRM login on the DC and basic domain network PowerShell commands.

  1. Identify GPO GUID using PowerShell on a domain workstation.
    • (Import-Module GroupPolicy, Get-Gpo -all, note the GUID of the GPO)
  2. Boot into DSRM using local administrator account.
  3. Locate GPO by GUID in SYSVOL folder.
    • (C:\Windows\SYSVOL\domain\Policies{YOUR_GUID_HERE}
  4. Navigate to GptTmpl.inf file in GPO folder structure.
    • (..\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf)
  5. Make changes to the policy as needed. For me it was removing certain users from the "SeDenyInteractiveLogonRight", although I added them to the related 'allow' right as well for good measure. Save this file.
  6. Go back up to the root policy GUID folder and locate the GPT.ini file.
  7. Edit (increment) the version number here. It's easiest to add a 0 to the end of the version number, or at least add 10. Group Policy will check this number to determine if the policy should be re-processed.
  8. Reboot the DC and, assuming you're able to login, disable/edit/delete the GPO and do a gpupdate /force from the command prompt to make sure the changes propagate quickly.

There were some lingering effects of the GPO that had to be cleaned up with counter-GPOs. For example, WID lost the ability to logon as a service because that right was defined but blank in the problem GPO. As I discovered these effects I wrote one-time GPOs to correct them and pushed them across the domain.

Hope this helps someone and thanks for all the suggestions.


I don't know if this will work for you but I figured it was worth posting as a "possible answer".

Some time ago while reading around the Internet I came across http://www.nobodix.org/seb/win2003_adminpass.html . According to that article while logged in in "directory services recovery mode" you can set up a "service" to run a command. Then after rebooting back into normal mode the service will run and execute your command as the "system" user.

I don't know if this technique will still work on more modern versions of Windows and I don't know if it will work for the commands you need (which seem more complex than a simple password reset) but it might be worth a shot.

Tags:

Active Directory

Group Policy

Domain

Domain Controller

Recent Posts