LISTACCT Causes LSASS to Use 90-100 Percent CPU Usage

ID: Q216683


The information in this article applies to:


IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SYMPTOMS

After you run the Listacct.exe utility on a primary domain controller, you may experience CPU usage as high as 90 to 100 percent. Severe latency when opening applications and slow desktop navigation will result from the CPU bottleneck.


CAUSE

These symptoms are caused by the RestrictAnonyomous value conflicting with the recent adjustment of user privileges after running Listacct.exe. When RestrictAnonymous is set to 1, it competes with the privileges set or denied by Listacct.exe within the local security authority (LSA), which results in the high CPU usage.


RESOLUTION

To bring the server back to a normal state, change the following registry value:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

  1. Start Registry Editor (Regedt32.exe).


  2. Locate the RestrictAnonymous value under the following key in the registry:
    
          HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa 


  3. On the Edit menu, click DWORD, type 0, and then click OK.


  4. Quit Registry Editor.



This step can be very time consuming because control of the system is being consumed by LSASS. It is recommended that the server be restarted and these steps be run immediately after restarting.


MORE INFORMATION

Domain administrators can use the Listacct.exe tool to grant or deny the right to list domain user accounts. You can obtain the Listacct.exe tool by calling Microsoft Technical Support. The Listacct.exe tool uses the following syntax:


Listacct [-d"Account" | -g"Account"]

   -d"Account" denies domain list access to the specified account
   -g"Account" grants domain list access to the specified account 

A user who is not granted the "Domain List Accounts" right does not see a list of domain users in the User Manager tool. To use the Listacct.exe tool to grant only members of the Domain Administrators and Account Operators groups permission to list user accounts, use the following command:
Listacct "-gDomain Administrators" "-gAccount Operators" "-dEveryone"
NOTE: The domain administrator should run this command on the primary domain controller.

The Listacct.exe tool is designed for Windows NT 3.51 or 4.0. Using the Listacct.exe tool on a computer running Windows 2000 with the Active Directory directory services installed could lead to unpredictable results and is not supported by Microsoft.


REFERENCES

For additional information, please see the following article(s) in the Microsoft Knowledge Base:

Q143474 Restricting Information Available to Anonymous Logon Users

Q180782 How to Modify the Right to Display Users in User Manager

Additional query words:


Keywords          : 
Version           : winnt:4.0 SP3,4.0 SP4
Platform          : winnt 
Issue type        : kbprb 

Last Reviewed: February 12, 1999