I have a policy that did a bad thing, and now need to correct it on just those machines that were hit with the policy..... (672 machines)
Any straight forward was of doing this? Seems like a EA would have to be used?
What did it do, high level? Did it install any package that should not have been installed? If so, you can create a Smart Group for Macs that have that specific Package Receipt on them, assuming the policy was collecting inventory afterwards, or inventory has been collected since.
If it wasn't something that installed a package, then perhaps an EA script as you mentioned will be needed. But without knowing a little more about what happened its hard to really help.
Unfortunately it wasn't done by package, but rather by script. Now I think it may always be best to use packages to run scripts instead of the script attribute in a policy.
Anyway, I think I'm going to give this a couple shots on my own, now that I've had more time to think about it, and if I fail, I will be back to this thread!