While testing implementing RMF security controls vulnerability ID V-63877 – Deny log on locally user right on workstations to Enterprise Admins and Domain Admin group via GPO, I basically logged myself out of Domain Controllers. Thanks God this was only the test environment. First of all I should have linked this GPO to a group containing workstations rather than at domain level. It was linked at the domain level which applied to the Domain Controllers group too.
1. Boot into DSRM (Directory Service Restore Mode) using local administrator account.

a. Press the Windows key+R to open the Rub box and type msconfig press Enter.
b. On the System Configuration dialog box , under Boot tab check Safe boot option, click Active Directory repair to select the DSRM option and Click OK and Restart to boot to DSRM.
c. Press Ctrl-Alt-Del to obtain the login window.
d. Click Other user or the Switch user arrow followed by Other user at the login prompt and type .\Administrator in the User name field.
e. Type the DSRM password in the Password field and press Enter to login.

2. Modify the GPO 

1. Locate GPO by GUID in SYSVOL folder.
   • (C:\Windows\SYSVOL\domain\Policies{YOUR_GUID_HERE}
2. Navigate to GptTmpl.inf file in GPO folder structure.
   • (..\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf)
3. Make changes to the policy as needed. For me it was removing certain users from the “SeDenyInteractiveLogonRight” and “SeDenyNetworkLogonRight”, also I added them to the related ‘allow’ right as well for good measure. Save this file.
4. Go back up to the root policy GUID folder and locate the GPT.ini file.
5. Edit (increment) the version number here. It’s easiest to add a 0 to the end of the version number, or at least add 10. Group Policy will check this number to determine if the policy should be re-processed.
6. Reboot the DC and, assuming you’re able to login, disable/edit/delete the GPO and do a gpupdate /force from the command prompt to make sure the changes propagate quickly.