-
Titel
DirSync: LSASS access denied error code 5 -
Beschreibung
Directory Sync workflow observed LSASS access denied error code 5 when syncing passwords
[BTPassSvc] - VirtualAllocEx failed: 5
[BTPassSvc] - Exiting serviceFailed to open LSASS process (pid #xxx): 5
-
Ursache
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.
The Windows operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages.
Error 5 means that access is denied to the LSASS process. This could be the account is not a Domain Admin, or the LSASS process is protected, or AV is preventing access. To check if LSASS is protected on the DC check the following:
Open the Registry Editor and check the value RunAsPPL is it set to 1? (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
Lastly, the issue could be caused by LSA Protection, which is enforced on UEFI level instead of OS level.
Using Process Explorer - it's possible to check, what protection is on the lsass.exe process.
Please run Process Explorer in Run As Admin mode even when logging in as a domain admin. Find LSASS.EXE process and double-click it. Then go to Security tab.
A RunAsPPL lsass.exe process will indicate Protected: PsProtectedSignerLsa-Light. If RunAsPPL is not set - it will say Protected: No -
Lösung
Disable LSA protection1.)Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.a.) Modify the existing regkey "RunAsPPL" to disable LSA protection by changing the value to 0
or
b.) Delete the value from the registry key: "RunAsPPL"=dword:00000001.
Note - Password Sync does not require a pdc emulator. However a pdc emulator is required for SID History -
Weitere Informationen
Disclaimer: "Support does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 “Description of the Microsoft Windows registry” at Microsoft Support."