Exchange Servers and Exchange Trusted Subsystem groups unexpectedly have the "debug programs" user right

Applies to: Exchange Server 2016 Standard EditionExchange Server 2016 Enterprise Edition

Symptoms


After you install Microsoft Exchange Server 2016, you notice that the Exchange Servers and Exchange Trusted Subsystem groups have the "Debug programs" user right on domain controllers. This status appears in the Default Domain Controller Policy object in Group Policy Management Editor in the following path:

Default Domain Controller Policy\Computer Config\Policies\Windows settings\Security Settings\local policies\User Rights Assignments\Debug program

Debug programs user right for Exchange groups

Cause


During the installation of Exchange Server 2016, the default domain controller policy grants the "Debug programs" user right to the Exchange Servers and Exchange Trusted Subsystem groups. However, these groups don’t require this user right on the domain controller.

Workaround


To work around this issue, manually remove the "Debug programs" user right from the Exchange Servers and Exchange Trusted Subsystem groups.

Status


Microsoft is aware of this issue and is working on a fix to be released in a future update.