Exchange Servers and Exchange Trusted Subsystem groups unexpectedly have the debug programs user right
Original KB number: 4055597
Symptoms
After you install Exchange Server 2016, you notice that the Exchange Servers and Exchange Trusted Subsystem groups have the Debug programs user right on domain controllers. This status appears in the Default Domain Controller Policy object in Group Policy Management Editor in the following path:
Default Domain Controller Policy\Computer Config\Policies\Windows settings\Security Settings\local policies\User Rights Assignments\Debug program
Cause
During the installation of Exchange Server 2016, the default domain controller policy grants the Debug programs user right to the Exchange Servers and Exchange Trusted Subsystem groups. However, these groups don't require this user right on the domain controller.
Workaround
To work around this issue, manually remove the Debug programs user right from the Exchange Servers and Exchange Trusted Subsystem groups.
Status
Microsoft is aware of this issue and is working on a fix to be released in a future update.