Directory Sync workflow observed LSASS access denied error code 5 when syncing passwords
[BTPassSvc] - VirtualAllocEx failed: 5
[BTPassSvc] - Exiting service
Failed to open LSASS process (pid #xxx): 5
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.
The Windows operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages
Error 5 means that access is denied to the LSASS process. This could be the account is not a Domain Admin, or the LSASS process is protected, or AV is preventing access. To check if LSASS is protected on the DC check the following
Open the Registry Editor and check the value RunAsPPL is it set to 1? (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
Lastly, the issue could be caused by LSA Protection, which is enforced on UEFI level instead of OS level.
Using Process Explorer - it's possible to check, what protection is on the lsass.exe process. A RunAsPPL lsass.exe process will indicate Protected: PsProtectedSignerLsa-Light. If not RunAsPPL - it will say Protected: No
© ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité Cookie Preference Center