What groups in an Exchange environment provide privilege escalation pathways to domain admin?

After installing Exchange, the **Microsoft Exchange Security Groups** OU contains three critical groups: **Exchange Trusted Subsystem**, **Exchange Windows Permission**, and **Organization Management**. Any user added to these groups inherits **WriteDACL** on the domain object, which can be abused with tools like **PowerView** to grant **DCSync** permissions. The article Domain Penetration - Using Specific ACLs in Exchange Server for Domain Privilege Escalation details this exact path.