You configured Active Directory (AD) as the Lightweight Directory Access Protocol (LDAP) server type. Users see the Lsass.exe process using 100% CPU on the Domain Controller designated in the LDAP configuration of the Brightmail Control Center. This causes a large number of queries against AD using un-indexed attribute.
There are two possible solutions to Lsass.exe using 100% CPU:
In the query filter replace both instances of ObjectClass with ObjectCategory. ObjectCategory is indexed.
Modify the Active Directory Schema to index ObjectClass.