We have 2 domain controllers with 2019 server, system administrator made something with GPO which deny access for group "Domain Admins" to workstations, now it is distributed throughout the domain (including domain controllers and servers). He aslo made changes to Active Directory Users and Computers (like include domain admins to Protected user group, deny delegation for domain admins in profiles, reset krbtgt password).
GPO was like:
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services user rights
error:
Logon failure: user account restriction. Possible reasons are blank passwords not allowed,logon hour restrictions, or a policy restriction has been enforced.
So we can't logon to domain controllers or other servers/workstations with domain admin logins. All remote control is also blocked.
I don't know if it's just the GPO or something else (because if viewed remotely, the GPO should not be applied to the OU with domain controllers)
I did Authoritative Restore (DSRM) of all AD, didn't worked, i see that sysvol folder still have this GPO (files deleted but folder structure preserved). Also all changes made to AD still preserved (like Domain admins users still in Protected users group) Why are these changes not rolled back?
gpupdate /force from workstations show error cause gpt.ini from this GPO not exist and group policy cannot be apply.
Any help please?
