Can't send mail in Exchange 2016 OWA -- unsent mail in drafts folder

All was well in our Exchange 2016 environment until our recent scheduled server outage in which I applied the latest Microsoft security updates.  Then mail stopped flowing:  all messages ended up in the drafts folder.    When this happened earlier in the year, I restarted the transport services:




# Restart When mail won't flow  (gets stuck on OWA Drafts folder)
Restart-Service MSExchangeTransport
Restart-Service MSExchangeFrontEndTransport




No change.  Looking in the event logs, I see a mountain of red.  That is never a good thing!  I notice event id 3003 -- MS Exchange BackEndRehydration.  The NT Authority\System does not have token serialization permission. 







Something got tightened down or changed.  Our first suspect: permissions. According to Microsoft KB Article 2898571, this is often due to effective deny permissions on the ms-Exch-EPI-Token-Serialization user right on the computer object.  Groups that are DENIED ms-Exch-EPI-Token-Serialization user right are:
* Domain Admins
* Schema Admins
* Enterprise Admins
* Organization Management




Check the group membership via group policy (run this cmdlet:)
gpresult /scope computer /r





UGH!  the computer is now part of the Schema Admins security group.  I removed the computer from that group and everything is fine.




For the sake of completeness, the Exchange computer should be a member of these five groups:

Domain Computers

Exchange Install Domain Servers

Exchange Servers

Exchange Trusted Subsystem

Managed Availability Servers