If troubleshooting why your Exchange services are not starting, be sure to double-check the Manage auditing and security log permission on the Default Domain Controller Policy. When the “Manage auditing and security log” permission (SeSecurityPrivilege) is removed from the Exchange Enterprise Servers(Exchange 2000/2003) or the Exchange Servers (Exchange 2007) groups, many issues may arise, including those found here:


Why does Exchange need the Manage Security and Auditing Log permission?

The SeSecurityPrivilege right is required to support various Exchange security functions, including the ability to report which Windows accounts are being used to gain access to mailboxes. These groups are granted the required access rights as Exchange no longer uses it own security/service account, but the Local System account, which does not have permissions to machines other than its own. Thus, the Exchange server groups are required for proper authentication.

By default, the only group in the domain with SeSecurityPrivilege right is the built-in Administrators group. When Exchange 2003 is installed, the /domainprep process grants this privilege to the Exchange Enterprise Servers. For Exchange 2007, the /PrepareDomain process grants this privilege to the Exchange Servers group.

How can this privilege be revoked?

There are several reasons which could lead to this privilege being reset or revoked. First, if the Security.inf template if reapplied to the domain, the SeSecurityPrivilege right is reset to its default. Also, third-party security auditing or configuration tools may provide a general security recommendation stating a group other than Built-In\Administrators has the SeSecurityPrivilege. Wanting to ensure security “best practices” are followed, an administrator may remove the Exchange Enterprise Servers group.

How can you verify the privilege is in place?

The Policytest.exe utility, included on the Exchange installation CD-ROM, can be used to verify the privilege is in place. Simply execute the .exe to view output similar to that shown below:

Policytest will check each domain controller to verify the right is in place.

The solution…

I suppose you have a couple choices:
1. Rerun Exchange setup using the /DomainPrep (2000/2003) or /PrepareDomain (2007) switch depending on your version of Exchange.
2. Edit the Default Domain Controller, or create a new GPO and go to: Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment. From there, add the required Exchange Servers group to the Manage Auditing and Security Log privilege.

If the SeSecurityPrivilege right is being reset repeatedly, and you cannot determine why, audit changes made to domain controller security policy:
1. On each domain controller, change the size and rollover settings for the Security log as much as necessary to support increased amounts of logging information.
2. Start the Domain Controllers Security Policy console.
3. Expand Local Policies, expand Audit Policy, and then turn on Success auditing for Directory Access and Policy Changes.