The ETS and EXS groups are incorrectly granted “SeDebugPrivilege” in Exchange Server 2016 on-premises

Applies to: Exchange Server 2016 Enterprise EditionExchange Server 2016 Standard Edition


When you install Microsoft Exchange Server 2016 in an on-premises environment, the following groups are added to the Default Domain Controller policy:

  • Exchange Servers (EXS)
  • Exchange Trusted Subsystem (ETS)

However, this addition is incorrect. These groups should not be granted the SeDebugPrivilege permission.

The Debug programs policy path is as follows:

Default Domain Controllers Policy > Computer Configuration > Policies > Windows settings > Security Settings\Local Policies > User Rights Assignment > Debug Programs


Exchange Server 2016

Starting in Cumulative Update 9 for Exchange Server 2016, the SeDebugPrivilege permission is no longer granted during installation to servers that run Exchange Server or to Exchange Trusted Subsystem groups.

To remove the SeDebugPrivilege permission from these groups on domain controllers, follow these steps:

  1. In Group Policy Management Editor, go to the User Rights Assignment path.
  2. In the Debug programs policy, open the Debug program properties list, and then remove the Exchange Servers and Exchange Trusted Subsystem groups from the list.
  3. Click OK.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


Learn about the terminology that Microsoft uses to describe software updates.