locked
Event ID 12294 errors RRS feed

  • Question

  • I am getting the following error on my Windows 2003 SP2 domain controller.

    Event Type: Error 
    Event Source: SAM 
    Event Category: None 
    Event ID: 12294 
    Date: 10/22/2013 
    Time: 10:30:15 
    User: xxxxxxxxxx
    Computer: xxxxxxx
    Description: 


    The SAM database was unable to lockout the account of admin 
    due to a resource error, such as a hard disk write failure
    (the specific error code is in the error data) . 
    Accounts are locked after a certain number of bad passwords are provided so 
    please consider resetting the password of the account mentioned above.


    Regards, Saqib Fareed

    Tuesday, October 22, 2013 10:06 AM

All replies

  • Hi,

    Follow the link !

    http://technet.microsoft.com/en-us/library/cc733228(v=ws.10).aspx

    And also check the following :

    This problem can be caused by the W32.Randex.F worm. See ME887433 for details on this issue.

    See ME824209 on how to use the EventCombMT utility to search the event logs of multiple computers for account lockouts.

    From a newsgroup post: "The administrator account is not subject to lockout. You need to examine the client machine(s) where the bad logon requests are originating,  and then find the user or application that is using the wrong password. Sometimes the name of the account can help. For instance,  if the account name is the name of a service account,  then you can be reasonably certain that you are looking for a miss-configured service. The "workstation" field in the logon audits tells you where the logon request originated".                       


    This problem can also be caused by a variant of the W32/Sdbot.worm worm (McAfee says there are over 4000 variants). McAfee enterprise VirusScan missed this. We enabled Kerberos debugging and the netlogon file in the debug folder pointed out the machines infected. The security auditing event file can point out some of them,  but some machines did not log to it. Registry editing and running the Trend Micro scanner repaired the machines in question.         


    Per a recent call with Microsoft,  open the “Netlogon.log” file (in W2K,  it is in “C:\WINNT\Debug”). Failed logon attempts will be noted here; look for the Error code 0xC000006A returned,  which indicates a bad password. The system named is the one you should focus on as possibly running a service that is attempting to use an incorrect password to start. In our case,  Dell IT Assistant was using a bad administrator password,  and every status poll was generating a SAM error.        

    Tuesday, October 22, 2013 11:00 AM