[Feature Request] check for "Debug Programs" right on Default Domain Controller Policy object in HealthChecker #2275
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Is your request related to a problem? Please describe.
A clear and concise description of what the problem is and the results it had on the environment.
HealthChecker script should check for the presence of "Debug Programs" user rights assigned to the "Exchange Servers" and "Exchange Trusted Subsystem" groups and flag as an issue if found
i ran into this problem a few times recently doing some security audits using the Purple Knight tool which did identify the issue
in short, at some point in the Exchange 2016 lifecycle some extra rights were written into the Active Directory GPO, Default Domain Controller Policy
Describe The Request
A clear and concise description of the feature to add to a current tool or a new tool with what we all want to be checking with examples.
based on the support article below these debug rights are not necessary and can be safely removed.
as far as i can tell there wasnt a subsequent fix that rolled these rights back as i found these in some environments that have been updated man y times in the 2019 lifecycle and subsequent domainprep applications dont seem to have rolled these rights back
Additional context
Add any other context or screenshots about the feature request here.
reference: https://learn.microsoft.com/en-us/previous-versions/troubleshoot/exchange/exchangeserver/unexpected-debug-programs-user-right
The text was updated successfully, but these errors were encountered: