📖 ~1 min read
Table of contents
Symptom & Impact
LSASS pegs CPU on a Windows Server 2016 domain controller or member server, causing interactive logons, RDP, and Kerberos ticket issuance to stall for users and applications.
Environment & Reproduction
Observed during heavy authentication storms, NTLM bursts from legacy apps, or after enabling new auditing settings.
Get-Process lsass | Select Id,CPU,Threads
Get-Counter 'Process(lsass)% Processor Time' -SampleInterval 2 -MaxSamples 5Root Cause Analysis
Causes include malformed clients, NTLM hammering, audit log overflow, expensive LDAP queries, or third-party security agents hooking LSASS.
Quick Triage
Capture LSASS counters and authentication events quickly.
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4625 or EventID=4776)]]" -MaxEvents 30
Get-Counter 'NTDSLDAP Searches/sec','Security System-Wide StatisticsNTLM Authentications' -SampleInterval 2 -MaxSamples 5Step-by-Step Diagnosis
Use NTLM auditing and LDAP diagnostics to find the offending source.
auditpol /get /subcategory:'Credential Validation'
Get-WinEvent -LogName 'Microsoft-Windows-NTLM/Operational' -MaxEvents 50
Get-ItemProperty 'HKLM:SYSTEMCurrentControlSetServicesNTDSDiagnostics'
Solution – Primary Fix
Block runaway sources, throttle NTLM, and stabilise LSASS via targeted KBs and configuration fixes.
Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.
Set-ItemProperty 'HKLM:SYSTEMCurrentControlSetControlLsa' -Name LmCompatibilityLevel -Value 5
New-NetFirewallRule -DisplayName 'Block legacy NTLM client' -Direction Inbound -RemoteAddress 10.0.20.55 -Action Block
Restart-Service Netlogon
Solution – Alternative Approaches
Offload heavy LDAP clients to RODCs or dedicated DCs, and tune LSASS with hotfixes for known leaks.
Get-ADDomainController -Filter * | Select Name,IsReadOnly
Get-HotFix | Where-Object {$_.HotFixID -match 'KB'} | Select HotFixID,InstalledOnVerification & Acceptance Criteria
LSASS CPU returns below 30 percent and 4768/4624 events flow without queueing.
Get-Process lsass | Select CPU,Handles,Threads
Get-WinEvent -LogName Security -MaxEvents 20 | Select TimeCreated,IdRollback Plan
Disable temporary NTLM block rules and revert audit overrides if helpdesk reports legacy app breakage.
Disable-NetFirewallRule -DisplayName 'Block legacy NTLM client'
Set-ItemProperty 'HKLM:SYSTEMCurrentControlSetControlLsa' -Name LmCompatibilityLevel -Value 3Prevention & Hardening
Patch LSASS with current cumulative updates, enable LSA protection, and monitor NTLM/LDAP counters.
Set-ItemProperty 'HKLM:SYSTEMCurrentControlSetControlLsa' -Name RunAsPPL -Value 1
Get-Counter 'Process(lsass)% Processor Time'Related Errors & Cross-Refs
Often linked to Kerberos ticket pressure, audit log overflow, and Credential Guard interactions.
Related tutorial: View the step-by-step tutorial for Windows Server 2016.
View all Windows Server 2016 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Microsoft Learn: LSA protection, NTLM auditing, and LDAP performance counters reference.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
