Re: Event ID 12294 - The SAM database was unable to lockout the account...

From: Jerold Schulman (Jerry_at_jsiinc.com)
Date: 08/06/04 

Date: Fri, 06 Aug 2004 15:36:42 -0400

On Fri, 6 Aug 2004 15:05:44 -0400, "Blake" <blake_duffey@NOSPAM.hotmail.com>
wrote:

>Getting this a couple times/day in the event log of our DCs (Windows 2000
>native mode AD):
>
>The SAM database was unable to lockout the account of ? due to a resource
>error, such as a hard disk write failure (the specific error code is in the
>error data) . Accounts are locked after a certain number of bad passwords
>are provided so please consider resetting the password of the account
>mentioned above.
>
>Anybody seen this before??
>
>Blake
>
This could be an attack. See tip 7144 » How do I use the EventCombMT tool to
search multiple computers for account lockout events?
 in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

Relevant Pages

  • Re: Account Lockout
    ... If the cached credentials go out of date (or if they have ... locked out due to autmoatic logon retries with bad passwords. ... The account lockout> seems to occur while the user is still logged in. ...
    (microsoft.public.win2000.security)
  • Re: Username Vulnerability???
    ... Open Server Manager> highlight the PDC ... Password Policy and Account Lockout Policy are both ...
    (microsoft.public.windows.server.general)
  • Re: OU group policy and how to use ldapsearch to find GPO settings
    ... The account is a domain account. ... Account Policies effective for all domain accounts. ... Your ldap query is seeing the settings that are in use for the domain. ... If I configure the account lockout policy in the default domain policy, ...
    (microsoft.public.windows.group_policy)
  • Re: Replication of password resets/unlocks
    ... Assuming that the reg key AvoidPDCOnWan isn't set passwords will be sent immediately out of band to the PDC when changed on a local machine. ... I haven't dug into the specifics but I believe that occasionally it will check with the PDC to see if the account has been unlocked but not for every auth attempt, this is so a PDC will not be overwhelmed by attempts to auth a locked account. ... The idea behind auto lockout is to prevent brute force systems from sending thousands of passwords an hour to crack a password, if that is the case, then setting the lockout policy to 25 bad attempts and locking the account out for say 5 minutes is just as good from a security perspective; it will seriously impact the ability for a brute force attack. ... From the usability standpoint, it will only lockout users who have really screwed up with their password and give them just enough time to realize they really screwed up but take less time than a call to the helpdesk for an unlock and replication of the unlock meaning that if they call the helpdesk for a rest, the only mechanism that comes into play is the one in the first paragraph above which works fine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Question regarding Security event 12294
    ... to look in the security log to see if there are any failed logon attempts and what ... paper in that link "Account Passwords and Policies" is very good for troubleshooting ... The SAM database was unable to lockout the account of ຦ ...
    (microsoft.public.win2000.security)