Address AD object renaming issues when success auditing is enabled

Applies to: Windows 8.1Windows 8.1 EnterpriseWindows 8.1 Pro

Not sure if this is the right fix? We've added this issue to our memory dump diagnostic which can confirm.


Consider the following scenario:
  • Domain Controller operating on Windows Server 2012 R2.
  • Advanced auditing is configured for "success audit" for "directory service changes."
  • Auditing is enabled for certain objects in the AD (user, group, OU).
  • An "auditing enabled" object is successfully renamed.
In this situation, the DC crashes in Local Security Authority Subsystem Service (LSASS) and restarts unexpectedly.


To resolve this issue, install update rollup 2928680, or install the hotfix that is described in this article.

Update information

For more information about how to obtain update rollup 2928680, click the following article number to view the article in the Microsoft Knowledge Base:
2928680 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: March 2014

Hotfix information

A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft website:Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.


To apply this hotfix, you must be running Windows 8.1 or Windows Server 2012 R2.

Registry information

To apply this hotfix, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
The following tools are known to trigger object renames operation:
  • Active Directory Users and Computers (ADUC or DSA.MSC)
  • Active Directory Administrative Center (ADAC or DSAC.EXE)
  • Active Directory Sites and Services (DSSITE.MSC)
  • DNS Manager (DNSMGMT.MSC) when changing zone scopes and possibly other operations like deleting DNS zones
  • Microsoft Exchange 2007 Management console
  • Rename-AdoObject PowerShell commandlet
For an example of the logged events, see the following event log information:

Application Error Event ID 1000
Log Name: Application
Event Source: Application Error
Event ID 1000
Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
Exception code: 0xc0000005
Fault offset: 0x000000000019e45d
Faulting process id: 0x214
Faulting application start time: 0x01cefa6743edbeec
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ntdsai.dll
Report Id: d4cd7581-665c-11e3-80d7-005056984a2b
Faulting package full name:
Faulting package-relative application ID:

Microsoft-Windows-Wininit Event 1015
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 22.01.2014 13:43:47
Event ID: 1015
Description: A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.