You have multiple accounts
Choose the account you want to sign in with.

Symptoms

When you install Microsoft Exchange Server 2016 in an on-premises environment, the following groups are added to the Default Domain Controller policy:

  • Exchange Servers (EXS)

  • Exchange Trusted Subsystem (ETS)

However, this addition is incorrect. These groups should not be granted the SeDebugPrivilege permission.

The Debug programs policy path is as follows:

Default Domain Controllers Policy > Computer Configuration > Policies > Windows settings > Security Settings\Local Policies > User Rights Assignment > Debug Programs

Resolution

Exchange Server 2016

Starting in Cumulative Update 9 for Exchange Server 2016, the SeDebugPrivilege permission is no longer granted during installation to servers that run Exchange Server or to Exchange Trusted Subsystem groups.

To remove the SeDebugPrivilege permission from these groups on domain controllers, follow these steps:

  1. In Group Policy Management Editor, go to the User Rights Assignment path.

  2. In the Debug programs policy, open the Debug program properties list, and then remove the Exchange Servers and Exchange Trusted Subsystem groups from the list.

  3. Click OK.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

Learn about the terminology that Microsoft uses to describe software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×