none
Error ID 12294 Directory-Services-SAM

    Question

  • Hi,

    we have 2 windows 2008 R2 doamin controllers. I changed password for built-in domain Administrator two days ago and now I am getting errors on both controllers.

    Error ID 12294 Directory-Services-SAM

    The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

    How could I solve this?
    Wednesday, September 12, 2012 1:07 PM

Answers

  • Hi,

    Error ID 12294 means there are numerous failure authentication events in security log due to incorrect credentials or could be a virus issue.

    As you have changed the built-in domain Administrator password then ensure that the credentials are updated everywhere. e.g. for service account, IIS application pool, account tied to a scheduled task,  virtual machine, mapped drice, etc...

    If you have already verified the the old Administrator credentials are updatetd everywhere then the reason for event 12294 is worm virus and you need to full virus scan and Malicious Software Removal tool Virus to remove the Win32/Conficker malware family.

    Event ID: 12294 Woes
    http://blogs.technet.com/b/mempson/archive/2012/01/13/event-id-12294-woes.aspx

    Malicious Software Removal tool Virus to remove the Win32/Conficker malware family.
    http://support.microsoft.com/kb/962007


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Thursday, September 13, 2012 7:05 AM
    • Marked as answer by Yan Li_Moderator Thursday, September 20, 2012 7:11 AM
    Wednesday, September 12, 2012 1:22 PM
  • Hi,

    we have 2 windows 2008 R2 doamin controllers. I changed password for built-in domain Administrator two days ago and now I am getting errors on both controllers.

    Error ID 12294 Directory-Services-SAM

    The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

    How could I solve this?

    It looks to be password spoof or brute force attack has been performed may by by virus/worm/malware or some mischievous person within or outside organization.

    http://technet.microsoft.com/en-us/library/cc733228%28v=ws.10%29.aspx

    I would involve my security/network team & use Netmon/Wireshark tool to verify the source from which password is been tried to guessed or cracked or just try to lockout.

    By default, only in-built administrator account in the AD which doesn't get locked out.



    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Thursday, September 13, 2012 7:04 AM
    • Marked as answer by Yan Li_Moderator Thursday, September 20, 2012 7:11 AM
    Wednesday, September 12, 2012 1:42 PM
    Moderator
  • Hi,

    A malicious user may be attempting to logon to the machine by "brute forcr"ing the password.

    The SAM event indicates that the enough attempts were made on the administrator account to cross the Account lockout threshold. As the administrator cannot be locked out, this event is logged instead. A machine is infected by virus it could not be trusted no longer. Microsoft suggests reinstalling the system.

     

    For more information about troubleshooting account lockout issue, you can use Account Lockout and management Tools to help rule out the root cause of this issue.

     

    Account Lockout and Management Tools

    http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

    For more information, please refer to:

    Troubleshooting account lockout problems in Windows Server 2003, in Windows 2000, and in Windows NT 4.0

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;315585

    Regards,

    Yan Li


    Yan Li

    TechNet Community Support

    Thursday, September 13, 2012 2:41 AM
    Moderator
  • This could be the sympton of Win32/Conficker worm.See below link for more details.I would also recommend to install latest hotfix and SP and update the virus defination as well and scan the servers.

    SAM error administrator(Event ID: 12294)
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/a404642c-d700-4536-a076-2df2da4c652d/

    Refer below link for more step on trroubleshooting account lockout.
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/94a7399f-7e7b-4404-9509-1e9ac08690a8/
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1c7e66a4-6a81-4118-89df-2e290852c3cc/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, September 13, 2012 3:17 AM

All replies

  • Hi,

    Error ID 12294 means there are numerous failure authentication events in security log due to incorrect credentials or could be a virus issue.

    As you have changed the built-in domain Administrator password then ensure that the credentials are updated everywhere. e.g. for service account, IIS application pool, account tied to a scheduled task,  virtual machine, mapped drice, etc...

    If you have already verified the the old Administrator credentials are updatetd everywhere then the reason for event 12294 is worm virus and you need to full virus scan and Malicious Software Removal tool Virus to remove the Win32/Conficker malware family.

    Event ID: 12294 Woes
    http://blogs.technet.com/b/mempson/archive/2012/01/13/event-id-12294-woes.aspx

    Malicious Software Removal tool Virus to remove the Win32/Conficker malware family.
    http://support.microsoft.com/kb/962007


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Thursday, September 13, 2012 7:05 AM
    • Marked as answer by Yan Li_Moderator Thursday, September 20, 2012 7:11 AM
    Wednesday, September 12, 2012 1:22 PM
  • Hi,

    we have 2 windows 2008 R2 doamin controllers. I changed password for built-in domain Administrator two days ago and now I am getting errors on both controllers.

    Error ID 12294 Directory-Services-SAM

    The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

    How could I solve this?

    It looks to be password spoof or brute force attack has been performed may by by virus/worm/malware or some mischievous person within or outside organization.

    http://technet.microsoft.com/en-us/library/cc733228%28v=ws.10%29.aspx

    I would involve my security/network team & use Netmon/Wireshark tool to verify the source from which password is been tried to guessed or cracked or just try to lockout.

    By default, only in-built administrator account in the AD which doesn't get locked out.



    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Thursday, September 13, 2012 7:04 AM
    • Marked as answer by Yan Li_Moderator Thursday, September 20, 2012 7:11 AM
    Wednesday, September 12, 2012 1:42 PM
    Moderator
  • Hi,

    A malicious user may be attempting to logon to the machine by "brute forcr"ing the password.

    The SAM event indicates that the enough attempts were made on the administrator account to cross the Account lockout threshold. As the administrator cannot be locked out, this event is logged instead. A machine is infected by virus it could not be trusted no longer. Microsoft suggests reinstalling the system.

     

    For more information about troubleshooting account lockout issue, you can use Account Lockout and management Tools to help rule out the root cause of this issue.

     

    Account Lockout and Management Tools

    http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

    For more information, please refer to:

    Troubleshooting account lockout problems in Windows Server 2003, in Windows 2000, and in Windows NT 4.0

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;315585

    Regards,

    Yan Li


    Yan Li

    TechNet Community Support

    Thursday, September 13, 2012 2:41 AM
    Moderator
  • This could be the sympton of Win32/Conficker worm.See below link for more details.I would also recommend to install latest hotfix and SP and update the virus defination as well and scan the servers.

    SAM error administrator(Event ID: 12294)
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/a404642c-d700-4536-a076-2df2da4c652d/

    Refer below link for more step on trroubleshooting account lockout.
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/94a7399f-7e7b-4404-9509-1e9ac08690a8/
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1c7e66a4-6a81-4118-89df-2e290852c3cc/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, September 13, 2012 3:17 AM
  • My windows server 2016 also facing this error....is the solution apply for windows server 2016 too?
    Wednesday, September 26, 2018 3:04 PM