Event ID - 12295

Event Id	12295
Source	SAM
Description	The SAM database attempted to delete the file %1 as it contains account information that is no longer used. The error is in the record data. Please have an administrator delete this file.
Event Information	According to Microsoft : Cause : This event is logged when the SAM database attempted to delete the file as it contains account information that is no longer used. Resolution : Delete the referenced file manually The Security Accounts Manager (SAM) was not able to delete the file that was referred to in the Event Viewer event text. Go to the file location that is referred to in the Event Viewer event text, and delete the file. If you are not able to delete the file, try again after you restart the computer. Perform the following procedure using a domain member computer that has domain administrative tools installed. To perform this procedure, you must have membership in Domain Admins or you must have been delegated the appropriate authority. To manually delete the referenced file: Type the path to the file in the Run box. For example, if the file to be deleted is C:\Windows\NTDS\ntds.dit, click Start click Run type c:\Windows\NTDS and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. Right-click the file named NTDS, and then click Delete. Note : As an alternative, you can type del C:\Windows\NTDS\ntds.dit /q at a command prompt. Verify : To ensure that the domain controller demotion was successful, verify that the Active Directory database files were removed and that the computer account is no longer in the Domain Controllers organizational unit (OU) or in the Domain Controllers group in Active Directory Users and Computers. Perform the following procedures using a domain member computer that has domain administrative tools installed. To perform these procedures, you must have membership in Domain Admins or you must have been delegated the appropriate authority. Verify that the Active Directory database files were removed To verify that the Active Directory database files were removed: Open a command prompt as an administrator. To open a command prompt as administrator, click Start. In Start Search, type Command Prompt. At the top of the Start Menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. At the command prompt, type cd /d %windir%\ntds, and then press ENTER. (If you installed Active Directory to a nondefault folder when you installed this domain controller, substitute that folder name and path for %windir%\ntds). If the result of this command is File not found, the files were deleted successfully. Verify that the computer account is no longer in the Domain Controllers OU or the Domain Controllers group To verify that the computer account is no longer in the Domain Controllers OU or the Domain Controllers group: Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. Expand the domain object, if necessary, and then click the Domain Controllers OU. If the computer account is not in this container, the removal of the computer account from the OU was successful. Right-click the domain object, and then click Find. In Name, type Domain Controllers, and then click Find Now. The Domain Controllers group appears in Search results. Right-click the Domain Controllers group, and then click Properties. On the Members tab, ensure that the computer account is not listed.
Reference Links	Event ID 12295 from Source SAM

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught