Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The Lsass.exe process may stop responding on a Windows Server 2003-based computer or on a Windows XP-based computer that is in an Active Directory domain environment


View products that this article applies to.

Symptoms

In an Active Directory domain environment, the Lsass.exe process may stop responding on a Microsoft Windows Server 2003-based computer or on a Microsoft Windows XP-based computer.

In this situation, you receive the following error message:
System Shutdown - The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost.

This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in <number> seconds.

Shutdown message: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code <error code>. The system will now shut down and restart.
Additionally, the following event is logged in the Application log:This problem may occur if the following conditions are true:
  • Some Internet Protocol Security (Ipsec) policies are configured to help secure network communication.
  • Security settings are customized for all Group Policy objects (GPOs) that are applied to domain computers. Specifically, the Everyone group and the Authenticated Users group do not have permission to access any GPO. All other groups, such as the Domain Users group and the Domain Computers group, have permission to access the GPOs.
  • On Windows Server 2003-based computers, Windows Server 2003 Service Pack 2 is installed.
  • On Windows XP-based computers, a hotfix is installed. This hotfix has a file version that is either later than or equal to the file version that is described in the following Microsoft Knowledge Base article:
    895406 All policies on a Windows XP-based computer are refreshed when you enable an IPsec policy

↑ Back to the top


Cause

This problem occurs because the Ipsec module (IPSecsvc.dll) generates an error when the Everyone group and the Authenticated Users group do not have the Read permission and the Apply Policy permission to access any GPO.

↑ Back to the top


Workaround

To work around this problem, make sure that the Authenticated Users group has the Read permission and the Apply Policy permission to access at least one GPO that is applied to domain computers. To do this, grant the Authenticated Users group the Read permission and the Apply Policy permission to the default domain policy.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


Keywords: kb, kbprb, kbexpertiseinter, kbtshoot, kberrmsg

↑ Back to the top

Article Info
Article ID : 938482
Revision : 6
Created on : 8/20/2020
Published on : 8/20/2020
Exists online : False
Views : 1489