Event ID 12294 - The SAM database was unable to lockout the account...

[Blake]

Getting this a couple times/day in the event log of our DCs (Windows 2000
native mode AD):

The SAM database was unable to lockout the account of ? due to a resource
error, such as a hard disk write failure (the specific error code is in the
error data) . Accounts are locked after a certain number of bad passwords
are provided so please consider resetting the password of the account
mentioned above.

Anybody seen this before??

Blake

 

[Jerold Schulman]

Getting this a couple times/day in the event log of our DCs (Windows 2000
native mode AD):

The SAM database was unable to lockout the account of ? due to a resource
error, such as a hard disk write failure (the specific error code is in the
error data) . Accounts are locked after a certain number of bad passwords
are provided so please consider resetting the password of the account
mentioned above.

Anybody seen this before??

Blake

This could be an attack. See tip 7144 » How do I use the EventCombMT tool to
search multiple computers for account lockout events?
in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[Guest]

Blake, I would consider the fact that it could be someone attempting to
guess a user account password. Since it is only a couple of times a day
that would not be my first guess. If you dont already, enable auditing on
logon events success and failures. This might help provide further info in
the security event log about which DC is attempting the authentication and
the user account.
My inital reaction would be that you have a user account that the password
has been changed on and you still have either a service or TS session that
is attempting to authenticate with the old password.

 

[Blake]

I can understand the inclination that this is a password guess attempt, but
the frequency of these logs makes that unlikely.

I am just worried that this is a problem with the AD itself. It could be a
service trying to log on...

Blake, I would consider the fact that it could be someone attempting to
guess a user account password. Since it is only a couple of times a day
that would not be my first guess. If you dont already, enable auditing on
logon events success and failures. This might help provide further info
in the security event log about which DC is attempting the authentication
and the user account.
My inital reaction would be that you have a user account that the password
has been changed on and you still have either a service or TS session that
is attempting to authenticate with the old password.



--
James Brandt [MSFT]

Getting this a couple times/day in the event log of our DCs (Windows 2000
native mode AD):

The SAM database was unable to lockout the account of ? due to a resource
error, such as a hard disk write failure (the specific error code is in
the error data) . Accounts are locked after a certain number of bad
passwords are provided so please consider resetting the password of the
account mentioned above.

Anybody seen this before??

Blake

 

[Steven L Umbach]

Hi Blake.

Have you seen the KB below that mentions AD collisions as a possibility? I have not
seen it myself, so can not offer much more as far as a solution but I thought you
might be interested in the KB. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;306091

I can understand the inclination that this is a password guess attempt, but
the frequency of these logs makes that unlikely.

I am just worried that this is a problem with the AD itself. It could be a
service trying to log on...

Blake, I would consider the fact that it could be someone attempting to
guess a user account password. Since it is only a couple of times a day
that would not be my first guess. If you dont already, enable auditing on
logon events success and failures. This might help provide further info
in the security event log about which DC is attempting the authentication
and the user account.
My inital reaction would be that you have a user account that the password
has been changed on and you still have either a service or TS session that
is attempting to authenticate with the old password.



--
James Brandt [MSFT]

Getting this a couple times/day in the event log of our DCs (Windows 2000
native mode AD):

The SAM database was unable to lockout the account of ? due to a resource
error, such as a hard disk write failure (the specific error code is in
the error data) . Accounts are locked after a certain number of bad
passwords are provided so please consider resetting the password of the
account mentioned above.

Anybody seen this before??

Blake

 

[Blake]

Thanks Steve. I have seen that KB article, and I AM getting the error data:

0xc00002a5

It just makes me nervous that this has started in the past few weeks and we
haven't done anything significant to our AD (such as adding a DC).
Everything here is local, we have 2 DCs on our domain. Nothing fancy.
Thanks again

Blake

Hi Blake.

Have you seen the KB below that mentions AD collisions as a possibility? I
have not
seen it myself, so can not offer much more as far as a solution but I
thought you
might be interested in the KB. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;306091

I can understand the inclination that this is a password guess attempt,
but
the frequency of these logs makes that unlikely.

I am just worried that this is a problem with the AD itself. It could be
a
service trying to log on...

Blake, I would consider the fact that it could be someone attempting to
guess a user account password. Since it is only a couple of times a
day
that would not be my first guess. If you dont already, enable auditing
on
logon events success and failures. This might help provide further
info
in the security event log about which DC is attempting the
authentication
and the user account.
My inital reaction would be that you have a user account that the
password
has been changed on and you still have either a service or TS session
that
is attempting to authenticate with the old password.



--
James Brandt [MSFT]


Getting this a couple times/day in the event log of our DCs (Windows
2000
native mode AD):

The SAM database was unable to lockout the account of ? due to a
resource
error, such as a hard disk write failure (the specific error code is
in
the error data) . Accounts are locked after a certain number of bad
passwords are provided so please consider resetting the password of
the
account mentioned above.

Anybody seen this before??

Blake