Yes, that is not possible. The Exchange team say that Exchange’s log file folder MUST remain as created, i.e. with permissions for only Administrators, because otherwise, MSFT told them, MSFT would not support it.
I know I can test this theoretically. But corporate reality is that service owners do not want to lose permissions and are less than helpful when you ask them to check if they can work with fewer permissions. It’s always the same: principle of least privilege is a great but obviously not in our situation/for our application.
Our company is too large to have one team for Windows Server and Exchange. There are lots of other applications with the same issue as well. We cannot just make all those hundreds of people into one team with essentially the same job description.
We have similar issues with IIS (iismgr.exe refuses to work withoout admin rights, fixed via self-created “sudo” for Windows), Sharepoint (team say it falls apart completely if a certain icon is clicked without the clicker having admin rights), Tableau (has a cmd file that looks for a java.exe and then runs a Java program base64-encoded into the same batch file, won’t run without admin rights), and basically every piece of “enterprise software” imaginable. All “require” admin rights and the vendors never care to provide what permissions their software really needs or why and they just check whether they are run as admin and that’s what they support.
Of course, Microsoft themselves are among the worst perpetrators of this custom.
VMS had a feature that would give a certain image certain privileges, but Windows doesn’t have that (or at least I haven’t found it yet). A Unix-like sudo is also not a good answer because the vast majority of Windows applications allow users to start programs from the open-file/save-file dialogue, rendering a sudo-based approach useless. (Tableau is a special case because it actually looks for a java.exe and hence anyone can provide it an exe file of their choice.)
I am now looking into an approach where a job object limits the number of processes running within it with admin rights to one (the first started) but even that will not necessarily help with Exchange.