Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

LSASS.exe Group Policy Conflict

Posted on 2010-09-02
7
Medium Priority
?
1,094 Views
Last Modified: 2012-05-10
I am experiencing a and issue with Group Policy that is causing LSASS.exe to crash on workstations. I know it is a GP conflict causing access denied errors to ntdll, kerberos and so forth. My question is does anyone have any suggestions as to troubleshooting my actual GP's. Does anyone know what access / permissions are needed for users / machines to utilize lsass.exe?
0
Comment
Question by:slipservice
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 2

Expert Comment

by:dehcbad25
ID: 33588664
LSASS is the Local Security Authority Subsystem Service. If it crashes the computer will restart. I seriously doubt that a GP will cause problems with LSASS, but f you want to troubleshoot it from that end run a report on the settings for the policy in question, print it (or save to PDF), then run a Resultant Set of policy and also save it.
After you have documented the offending policy, create a blank policy and apply it to 1 computer (so you can focus on getting one working), and test it. It should not crash LSASS, if it still crashes, then it is not your GP.
You can run a RSoP with the blank GP to make sure no other GP are being applied.
Right now if we assume a GP is crashing your GP, the only area I think could be responsible would be "Account Policies" in the "Security Settings" section., but a blank GP would fix that.
LSASS crashes are usually linked to malware. Have you run a malware scan? try with Malaware-Bytes Anti-Malware, and then run a deep anti virus scan
0
 
LVL 1

Author Comment

by:slipservice
ID: 33588888
Absolutely Clean. I believe it to be GP because the crash dumps show access denied.
0
 
LVL 2

Expert Comment

by:dehcbad25
ID: 33589339
does it happen on Safe Mode?
lsass is opened by the service Security Accounts Manager. Local System should be the account that runs it, and it should be automatic. Lsass enforces the policies, so it makes no sense to think that lsass is crashing because of a policy.
The file is located at C:\Windows\system32\lsass.exe
permissions should be
System, Administrators, Users R&E
TrustedInstaller Full Control
And there are no special permissions set (and it is not inherited). The owner would be TrustedINstaller.
This I am all readying in a Windows 7 PC.
There has been a patch for lsass on XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en
(this will also reset the permissions to default)
Did you try using a clean GP to see what happens?
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:slipservice
ID: 33589440
I will check the permissions and see if we have the hotfix applied. I really appreciate the info. i think we are on to something here.

0
 
LVL 1

Author Comment

by:slipservice
ID: 33649587
We have several domain controllers on the network and some of them havent fully replicated GP, we are forcing replication and will have to start from there. The way it is now there is no baseline to work from. Not sure why they havent replicated.
0
 
LVL 2

Accepted Solution

by:
dehcbad25 earned 2000 total points
ID: 33663603
not having replication for the group policies seem to be the biggest problem then. Run a report so you can see all the settings (using GPMC) and see what it could be causing problems.
Has any of the DC been off for a long time or were imaged/converted to Virtual?
0
 
LVL 1

Author Closing Comment

by:slipservice
ID: 34394226
Once we established that the other DCs should replicate from the PDC we forced replication and forced gp update on the PC side. The error seems to be resolved, we will be monitoring.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question