Directory Sync workflow observed LSASS access denied error code 5 when syncing passwords
[BTPassSvc] - VirtualAllocEx failed: 5
[BTPassSvc] - Exiting service
Failed to open LSASS process (pid #xxx): 5
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.
The Windows operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages.
Error 5 means that access is denied to the LSASS process. This could be the account is not a Domain Admin, or the LSASS process is protected, or AV is preventing access. To check if LSASS is protected on the DC check the following:
Open the Registry Editor and check the value RunAsPPL is it set to 1? (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
Lastly, the issue could be caused by LSA Protection, which is enforced on UEFI level instead of OS level.
Using Process Explorer - it's possible to check, what protection is on the lsass.exe process.
Please run Process Explorer in Run As Admin mode even when logging in as a domain admin. Find LSASS.EXE process and double-click it. Then go to Security tab.
A RunAsPPL lsass.exe process will indicate Protected: PsProtectedSignerLsa-Light. If RunAsPPL is not set - it will say Protected: No
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center