Re: Question regarding Security event 12294

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/13/04 

Date: Tue, 13 Apr 2004 21:15:03 GMT

Could be. See the link from http://eventid.net for some possibilities. You may want
to look in the security log to see if there are any failed logon attempts and what
computer they are coming from. If none are shown there you may need to enable
auditing of logon events for failure for all computers in the domain looking to see
where these attempts are occurring. You can use Event Comb to scan domain computers
to make the job a lot easier. Event Comb is available in the link below and the white
paper in that link "Account Passwords and Policies" is very good for troubleshooting
account lockouts. --- Steve

http://eventid.net/display.asp?eventid=12294&eventno=875&source=SAM&phase=1
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

"Tyson" <anonymous@discussions.microsoft.com> wrote in message
news:1937701c42185$5bb804d0$a601280a@phx.gbl...
Am I correct that this means someone is trying to brute
force the administrator password for our domain? Ths body
seems a little odd; the "unable to lockout the account of
&#3750; due to a resource error" seems odd with the unprintable
character in there.

We are getting hundreds of these per week btw.

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12294
Date: 4/10/2004
Time: 2:39:00 AM
User: DOMAIN\Administrator
Computer: DC
Description:
The SAM database was unable to lockout the account of &#3750;
due to a resource error, such as a hard disk write failure
(the specific error code is in the error data) . Accounts
are locked after a certain number of bad passwords are
provided so please consider resetting the password of the
account mentioned above.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: a5 02 00 c0 ¥..À

Relevant Pages

  • Re: Account Lockout
    ... Enable auditing and look for lockout ... From the lockout events, determine which clients they originate from. ... >>> Do this via a GPO and watch for failed logon attempts. ... I have a user's account that is getting ...
    (microsoft.public.win2000.active_directory)
  • Re: Account Lockout
    ... If the cached credentials go out of date (or if they have ... locked out due to autmoatic logon retries with bad passwords. ... The account lockout> seems to occur while the user is still logged in. ...
    (microsoft.public.win2000.security)
  • Re: all domain accounts locked out !!!
    ... Microsoft recommends that you use a lockout threshold of no less than 10 ... enforced complex passwords in your domain ideally with a password length of ... target the administrator account. ... controllers and domain workstations for failed logon attempts that may give ...
    (microsoft.public.windows.group_policy)
  • Re: access granted after lock out
    ... There many reasons that can cause an account to lockout. ... In this situations if you change the PW the services, or the users that are still logged on still try to use the old PW causing the lockout. ... I found many entries for a user account failed logon due to account ... domain controllers and there was no successful logon for this user. ...
    (microsoft.public.windows.server.active_directory)
  • Re: The SAM adatabase was unable to lockout the account of UserXX
    ... It's a user account ... ... The SAM database was unable to lockout the account of ClientCN504 due to a ... passwords are provided so please consider resetting the password of the ...
    (microsoft.public.windows.server.active_directory)