locked
The SAM database was unable to lockout the account of SBSMonAcct due to a resource error- Event ID:12294, SOURCE:Directory-Services-SAM RRS feed

  • Question

  • We have an SBS2011 server that's displaying event ID  ID:12294, SOURCE:Directory-Services-SAM every hour. The SBS console displays monitoring information correctly for the 50 or so systems on the LAN and all appears well yet we get this error every hour. Full details of the error are below.

    Log Name:      System
    Source:        Microsoft-Windows-Directory-Services-SAM
    Date:          06/07/2012 09:30:01
    Event ID:      12294
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      Server.OurDomain.local
    Description:
    The SAM database was unable to lockout the account of SBSMonAcct due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}" />
        <EventID>12294</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-07-06T08:30:01.499909300Z" />
        <EventRecordID>423788</EventRecordID>
        <Correlation />
        <Execution ProcessID="572" ThreadID="632" />
        <Channel>System</Channel>
        <Computer>Server.OurDomain.local</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="SAMMSG_LOCKOUT_NOT_UPDATED">
        <Data Name="UserName">SBSMonAcct</Data>
        <Binary>A50200C0</Binary>
      </EventData>
    </Event>

    This doesn't seem to be having any effect on the monitoring but it's starting to annoy me a little. I was considering reparing the monitoring features as per the link here -> http://technet.microsoft.com/en-us/library/gg680308 but figured I'd ask the question on the off chance that someone else had seen this before I go down that route.

    Friday, July 6, 2012 11:33 AM

Answers

All replies

  • According to the following KB article and thread, this can be caused by virus on one of the clients:

    User accounts are unexpectedly locked, and event ID 12294 is logged in Windows Server 2003

    http://support.microsoft.com/kb/887433

    Event ID 12294-Directory-Services-Sam Error

    http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2networking/thread/929a6673-d3da-4f6f-814e-b7a7f4bfedaa/

    Also check this article:

    Event ID 12294 — Account Lockout

    http://technet.microsoft.com/en-us/library/ee411036(v=ws.10)


    Sean Zhu

    TechNet Community Support

    • Marked as answer by Sean Zhu - Monday, July 16, 2012 5:59 AM
    Monday, July 9, 2012 8:57 AM
  • Hi Sean,

    Apologies that I didn't come back to you on this. Bad form but I've been away. I don't believe that the issue was virus related as the warning was regularly appearing on an hourly basis and I'm assuming that as this is the Monitoring account that the monitoring processes were kicking in at this point. I'd find it hard to believe that Malware on a client would target that single account only on a hourly basis.

    Nonetheless since my return I've found that the error has simply vanished. The last report of it was on the 16th. Not sure if a new update has resolved this but I'm happy enough.

    Thanks for your help Sean.

    R

    Thursday, July 26, 2012 9:13 AM
  • Wanted to revive this thread with something I found.

    We have a customer with SBS2011

    We wanted to do a domain join migration from that to a 2012 R2 Standard AD environment

    We joined a Server 2012R2 Standard machine to the domain, installed hyper-v, and set up two VMs: a new Domain Controller, and a File Server. As of this time the dc vm had not been promoted to Domain Controller yet

    I found that the error above was happening, and we were seeing audit failures for the same account name on both VMs and the Hyper-V host, predicated on these conditions:

    The SBS Server hit a condition of C: having zero bytes free. the C partition was woefully undersized on that server and it was one of the reasons we wanted to move to a new server.

    We moved the paging file (20GB or so, the server has 16 GB RAM) from the C drive to the Data volume and rebooted

    When the SBS box came back up, we did not notice that the Network profile had come up as a PUBLIC one, rather than domain.

    After searching for days for the solution to this problem, including manually resetting the password on the SBSMonAcct nothing helped

    Today I noticed the Public network profile issue, I rebooted the SBS server again, and the errors on SBS and the audit failures on the others had stopped.


    "Time is an illusion, Lunchtime, doubly so..." - Ford Prefect

    Monday, July 27, 2015 9:46 PM