The Lsass.exe process may stop responding on a Windows Server 2003-based computer or on a Windows XP-based computer that is in an Active Directory domain environment

Applies to: Windows Servers

Symptoms


In an Active Directory domain environment, the Lsass.exe process may stop responding on a Microsoft Windows Server 2003-based computer or on a Microsoft Windows XP-based computer.

In this situation, you receive the following error message:
System Shutdown - The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost.

This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in <number> seconds.

Shutdown message: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code <error code>. The system will now shut down and restart.
Additionally, the following event is logged in the Application log:This problem may occur if the following conditions are true:
  • Some Internet Protocol Security (Ipsec) policies are configured to help secure network communication.
  • Security settings are customized for all Group Policy objects (GPOs) that are applied to domain computers. Specifically, the Everyone group and the Authenticated Users group do not have permission to access any GPO. All other groups, such as the Domain Users group and the Domain Computers group, have permission to access the GPOs.
  • On Windows Server 2003-based computers, Windows Server 2003 Service Pack 2 is installed.
  • On Windows XP-based computers, a hotfix is installed. This hotfix has a file version that is either later than or equal to the file version that is described in the following Microsoft Knowledge Base article:
    895406 All policies on a Windows XP-based computer are refreshed when you enable an IPsec policy

Cause


This problem occurs because the Ipsec module (IPSecsvc.dll) generates an error when the Everyone group and the Authenticated Users group do not have the Read permission and the Apply Policy permission to access any GPO.

Workaround


To work around this problem, make sure that the Authenticated Users group has the Read permission and the Apply Policy permission to access at least one GPO that is applied to domain computers. To do this, grant the Authenticated Users group the Read permission and the Apply Policy permission to the default domain policy.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.