Exchange Servers and Exchange Trusted Subsystem groups unexpectedly have the debug programs user right

This article provides a workaround for the issue that the debug programs user right is unexpectedly granted for the Exchange Servers and Exchange Trusted Subsystem groups in Microsoft Exchange Server 2016.

Original KB number:   4055597

Symptoms

After you install Exchange Server 2016, you notice that the Exchange Servers and Exchange Trusted Subsystem groups have the Debug programs user right on domain controllers. This status appears in the Default Domain Controller Policy object in Group Policy Management Editor in the following path:

Default Domain Controller Policy\Computer Config\Policies\Windows settings\Security Settings\local policies\User Rights Assignments\Debug program

Debug programs user right for Exchange groups

Cause

During the installation of Exchange Server 2016, the default domain controller policy grants the Debug programs user right to the Exchange Servers and Exchange Trusted Subsystem groups. However, these groups don't require this user right on the domain controller.

Workaround

To work around this issue, manually remove the Debug programs user right from the Exchange Servers and Exchange Trusted Subsystem groups.

Status

Microsoft is aware of this issue and is working on a fix to be released in a future update.