Event ID - 12294

Event Id	12294
Source	SAM
Description	The SAM database was unable to lockout the account of user due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above. Data: 0000: c00002a5
Event Information	According to Microsoft: CAUSE: This issue may occur when a computer on your network is infected with the W32.Randex.F worm or with a variant of it. RESOLUTION: To resolve this issue, run a complete virus scan on your network using the latest available virus definitions. Use the scan to remove the W32.Randex.F worm. For information about how to perform a virus scan or how to obtain the latest virus definitions, see your antivirus software documentation, or contact the manufacturer. According to News Group : From a Usenet post: "Think I have sorted this problem, one of our servers has a different Local Administrator password, compared to Domain Administrator, because all services on that server use the local Admin account. I don't know what services require the domain wide account, but setting them the same has fixed all problems." --------------------------------------------------------------------------------------------------------------------- Log onto the affected Domain Controller and check failure audits in Security log. In my case I found eight PCs affecting our DC. I forced shutdown them and the attacks stopped. The PCs were taken off domain and reinstalled to ensure no virusses. All was fine after that. In our case, these errors occurred because of an FTP dictionary attack in which the attacker was attempting to logon to our FTP servers as Administrator. For each one of these entries on our Domain Controller there was a corresponding entry in our Microsoft FTP log files. --------------------------------------------------------------------------------------------------------------------- From a newsgroup post: "The administrator account is not subject to lockout. You need to examine the client machine(s) where the bad logon requests are originating, and then find the user or application that is using the wrong password. Sometimes the name of the account can help. For instance, if the account name is the name of a service account, then you can be reasonably certain that you are looking for a miss-configured service. The "workstation" field in the logon audits tells you where the logon request originated".
Reference Links	User accounts are unexpectedly locked, and event ID 12294 is logged in Windows Server 2003 How to Use the EventcombMT Utility to Search Event Logs for Account Lockouts SAM Error ID 12294 Because of an Active Directory Collision

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught