Exchange Servers need the Manage Auditing and Security Log right

If troubleshooting why your Exchange services are not starting, be sure to double-check the Manage auditing and security log permission on the Default Domain Controller Policy. When the “Manage auditing and security log” permission (SeSecurityPrivilege) is removed from the Exchange Enterprise Servers(Exchange 2000/2003) or the Exchange Servers (Exchange 2007) groups, many issues may arise, including those found here:

http://support.microsoft.com/kb/896703

Why does Exchange need the Manage Security and Auditing Log permission?

The SeSecurityPrivilege right is required to support various Exchange security functions, including the ability to report which Windows accounts are being used to gain access to mailboxes. These groups are granted the required access rights as Exchange no longer uses it own security/service account, but the Local System account, which does not have permissions to machines other than its own. Thus, the Exchange server groups are required for proper authentication.

By default, the only group in the domain with SeSecurityPrivilege right is the built-in Administrators group. When Exchange 2003 is installed, the /domainprep process grants this privilege to the Exchange Enterprise Servers. For Exchange 2007, the /PrepareDomain process grants this privilege to the Exchange Servers group.

How can this privilege be revoked?

There are several reasons which could lead to this privilege being reset or revoked. First, if the Security.inf template if reapplied to the domain, the SeSecurityPrivilege right is reset to its default. Also, third-party security auditing or configuration tools may provide a general security recommendation stating a group other than Built-In\Administrators has the SeSecurityPrivilege. Wanting to ensure security “best practices” are followed, an administrator may remove the Exchange Enterprise Servers group.

How can you verify the privilege is in place?

The Policytest.exe utility, included on the Exchange installation CD-ROM, can be used to verify the privilege is in place. Simply execute the .exe to view output similar to that shown below:

Policytest will check each domain controller to verify the right is in place.

The solution…

I suppose you have a couple choices:
1. Rerun Exchange setup using the /DomainPrep (2000/2003) or /PrepareDomain (2007) switch depending on your version of Exchange.
2. Edit the Default Domain Controller, or create a new GPO and go to: Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment. From there, add the required Exchange Servers group to the Manage Auditing and Security Log privilege.

If the SeSecurityPrivilege right is being reset repeatedly, and you cannot determine why, audit changes made to domain controller security policy:
1. On each domain controller, change the size and rollover settings for the Security log as much as necessary to support increased amounts of logging information.
2. Start the Domain Controllers Security Policy console.
3. Expand Local Policies, expand Audit Policy, and then turn on Success auditing for Directory Access and Policy Changes.

4 Comments

Filed under Microsoft, Security, Windows Server

4 responses to “Exchange Servers need the Manage Auditing and Security Log right

  1. Nolan Edick

    As for exchange auditing there is a great solution called < HREF="http://www.changeauditorforexchange.com" REL="nofollow">change auditor for exchange<>. The tool can report and alert on all critical changes to exchange configuration like distribution list changes, mailbox policies, administrative groups, track user and administrator activity. Change auditor for exchange is also good for compliance reporting on the fly.

  2. Hello all,

    A user with this right can use the security tab in the security permission set editor's Properties dialog box to specify auditing options for the selected object. Thanks a lot…

  3. Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.

    Management Audit

  4. Hi , Admin

    Your blog decorated on '' Manage Auditing Act '' that I enjoyed your blog . I have gained a lot of information variously . Obviously , I chosen your blog . Although you may want a Self managing rental properties to help you select and decide on the buy of a residence, you should also perform your own analysis for your financial commitment programs. By doing aspects on your own, you preserve from needless pressure to buy even before you have discovered the most ideal residence. Making cautious choices based on what you prefer and your programs best can be carried out if you take an impartial strategy to all the qualities that are within your making an investment capacity which will be limited by whether you anticipate to handle it (be a landlord) or seek the services of someone or a control organization to look after it for you.

    Many many thanks for your Nice able Blog .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s