When you change a User Rights Assignment security policy setting, an MMC process may slow down or stop responding

Article translations Article translations
Article ID: 843404 - View products that this article applies to.
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

SYMPTOMS

When you try to modify a User Rights Assignment security policy setting in the Default Domain Policy Microsoft Management Console (MMC) snap-in on a Microsoft Windows 2000-based domain, you may experience one or more of the following symptoms:
  • The MMC process that is used to modify the User Rights Assignment security policy setting may be slow or may appear to stop responding.
  • The Lsass.exe process on the domain controllers in your network may use more CPU resources than you expect.
  • You may notice an increase in network traffic. This symptom will be most noticeable on domain controllers in trusted domains.
The symptoms may increase with the number of trusted domains in your environment.

CAUSE

This problem may occur if the Group Policy Object Editor tries to resolve items that are defined in the policy but that should not be resolved by the Group Policy Object Editor. The symptoms occur because the Lsass.exe process is overworked.

RESOLUTION

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

No prerequisites are required.

Restart requirement

You must restart your computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time    Version          Size      File name
   ------------------------------------------------------------
   24-Mar-2004  02:17   5.0.2195.6876    388,368   Advapi32.dll
   24-Mar-2004  02:17   5.0.2195.6866     69,904   Browser.dll
   24-Mar-2004  02:17   5.0.2195.6824    134,928   Dnsapi.dll
   24-Mar-2004  02:17   5.0.2195.6876     92,432   Dnsrslvr.dll
   15-Nov-2001  23:27                      5,149   Empty.cat
   24-Mar-2004  02:17   5.0.2195.6883     47,888   Eventlog.dll
   24-Mar-2004  02:17   5.0.2195.6890    143,632   Kdcsvc.dll
   11-Mar-2004  02:37   5.0.2195.6903    210,192   Kerberos.dll
   21-Sep-2003  00:32   5.0.2195.6824     71,888   Ksecdd.sys
   11-Mar-2004  02:37   5.0.2195.6902    520,976   Lsasrv.dll
   25-Feb-2004  23:59   5.0.2195.6902     33,552   Lsass.exe
   19-Jun-2003  20:05   5.0.2195.6680    117,520   Msv1_0.dll
   24-Mar-2004  02:17   5.0.2195.6897    312,592   Netapi32.dll
   19-Jun-2003  20:05   5.0.2195.6695    371,984   Netlogon.dll
   24-Mar-2004  02:17   5.0.2195.6896  1,028,880   Ntdsa.dll
   24-Mar-2004  02:17   5.0.2195.6897    388,368   Samsrv.dll
   07-Jun-2004  21:21   5.0.2195.6939    114,448   Scecli.dll
   24-Mar-2004  02:17   5.0.2195.6903    253,200   Scesrv.dll
   04-Jun-2004  23:13   5.0.2195.6935  5,887,488   Sp3res.dll
   24-Mar-2004  02:17   5.0.2195.6824     50,960   W32time.dll
   21-Sep-2003  00:32   5.0.2195.6824     57,104   W32tm.exe

WORKAROUND

To work around this problem, you can restrict the lookup of isolated names. For additional information about how to restrict the lookup of isolated names, click the following article number to view the article in the Microsoft Knowledge Base:
818024 How to restrict the lookup of isolated names in external trusted domains by using the LsaLookupRestrictIsolatedNameLevel registry entry
This workaround does not require you to install a new hotfix. However, you must install all available security updates on your computer.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
816915 New file naming schema for Microsoft Windows software update packages
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 843404 - Last Review: October 26, 2013 - Revision: 2.5
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbnosurvey kbarchive kbautohotfix kbqfe kbhotfixserver kbbug kbfix kbwin2000presp5fix KB843404

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com