Can't open EMC or PS... probably due to fubar Domain GPO

I am getting the Exchange Management Console "Connection Refused" problems that seem so well documented here, though I've tried just about everything in the book to try to clear the problems, (re)install WinRM, check Kerberos local, IIS Default Domain Bindings.

I'm on the verge of doing this one:

EMC Permissions Gone Part Deux

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/8f9a1881-d66d-4d8a-a6ff-06729a701999/

,

Though this domain's config has been unusual for quite a while, and it seems possible someting nonstandard was done, which, while I was trying to straighten things out, has "broken" something else.

For example, previously we had a rather odd Default Domain GPO config, set up by other people before me.

Computer Configuration
- Windows Settings
- - Security Settings
- - - Local Policies
- - - - User Rights Assignment
- - - - - Allow log on locally
- - - - - - CORNELL\Domain Admins, S-1-5-21-1226845288-2242785007-541740708-2640, BUILTIN\Administrators
- - - - - Log on as a service
- - - - - - BUILTIN\Administrators, S-1-5-21-1226845288-2242785007-541740708-2640, domain admins

... pushed to every desktop and server. This GPO overwrites/deletes Microsoft's standard security policy, and basically involved EVERYONE in the domain being an administrator, or they can't logon.

Oh, and the firewall was turned off on all Windows servers. 

,

I have since built a new Default Domain GPO that includes Microsoft's default desktop security config for Windows, to undo that bizarreness and allow non-admin user accounts to logon again.

Computer Configuration
- Windows Settings
- - Security Settings
- - - Local Policies
- - - - User Rights Assignment
- - - - - Allow log on locally
- - - - - - BUILTIN\Administrators, BUILTIN\Backup Operators, CORNELL\Domain Admins, CORNELL\Domain Users, Power Users, BUILTIN\Users
- - - - - Log on as a service
- - - - - - CORNELL\Domain Admins, BUILTIN\Administrators

(Actually domain admins aren't in there normally for "Log on as a service" but I had to do that or Backup Exec 2010 won't load.)

,

I see there is a separate DC GPO, and from reading up on how GPO's apply at startup, the DC policy runs after the Default Domain GPO, so supposedly it should have been resetting the Default domain oddness. Since Exchange 2010 is on the DC, it should still be using whatever is in that GPO.

I have not tried to comb through that one to figure out if it has jury-rigged barbed-wire like was in the Default Domain GPO.