Hi,
I see in system even log SAM database error messages saying that Account
Can't be locked, due to resource error
Event ID:12294, and that account is domain\administrator

That means something or someone is trying to logon to domain as
administrator but failing. (also can't lock the account, because I
disabled). How I find from what IP or workstation these attempt being made?
Event log doesn't mention
Thanks
MC

Are you sure you don't have a service on that computer running under the
administrator account with an old admin password?

Check the services that are set to start up automatically. Look for one that
is not started and see what account it is using.


hth
DDS

"MC" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi,
> I see in system even log SAM database error messages saying that Account
> Can't be locked, due to resource error
> Event ID:12294, and that account is domain\administrator
>
> That means something or someone is trying to logon to domain as
> administrator but failing. (also can't lock the account, because I
> disabled). How I find from what IP or workstation these attempt being
> made?
> Event log doesn't mention
> Thanks
> MC

No, service is running as Administrator account.
Besides, it only happens 1 or 2 times a week.
When I look at Security Log, I see at least 100 attempt within 1-2minute
period.
MC

"Danny Sanders" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Are you sure you don't have a service on that computer running under the
> administrator account with an old admin password?
>
> Check the services that are set to start up automatically. Look for one
> that is not started and see what account it is using.
>
>
> hth
> DDS
>
> "MC" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Hi,
>> I see in system even log SAM database error messages saying that Account
>> Can't be locked, due to resource error
>> Event ID:12294, and that account is domain\administrator
>>
>> That means something or someone is trying to logon to domain as
>> administrator but failing. (also can't lock the account, because I
>> disabled). How I find from what IP or workstation these attempt being
>> made?
>> Event log doesn't mention
>> Thanks
>> MC
>
>

use NETLOGON debug logging

Enabling debug logging for the Net Logon service
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
DBFlag = 0x2080FFFF (in: %windir%\debug\netlogon.log)


google for NETLOGON debug logging and you will find more info

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MC" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi,
> I see in system even log SAM database error messages saying that Account
> Can't be locked, due to resource error
> Event ID:12294, and that account is domain\administrator
>
> That means something or someone is trying to logon to domain as
> administrator but failing. (also can't lock the account, because I
> disabled). How I find from what IP or workstation these attempt being
> made?
> Event log doesn't mention
> Thanks
> MC

Did you ever find a solution to this issue?

I have been experiencing the same thing since changing our domain admin
password.

Enabling the logging only shows me that the failed login attempts originate
from the DC logging the errors. I have been through my services ten times to
ensure none are left with the old password.

"MC" wrote:

> Hi,
> I see in system even log SAM database error messages saying that Account
> Can't be locked, due to resource error
> Event ID:12294, and that account is domain\administrator
>
> That means something or someone is trying to logon to domain as
> administrator but failing. (also can't lock the account, because I
> disabled). How I find from what IP or workstation these attempt being made?
> Event log doesn't mention
> Thanks
> MC
>
>