Event ID 12294 — Account Lockout

Applies To: Windows Server 2008 R2

The Security Accounts Manager (SAM) is a service that is used during the logon process. The SAM maintains user account information, including groups to which a user belongs. The SAM is attempting to lock out the account that exceeded the threshold for the number of incorrect passwords entered.

Event Details

Product: Windows Operating System
ID: 12294
Source: SAM
Version: 6.0
Symbolic Name: SAMMSG_LOCKOUT_NOT_UPDATED
Message: The SAM database was unable to lockout the account of %1 due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

Resolve

Disable the account, if necessary

The Security Accounts Manager (SAM) was not able to lock out an account as a result of a resource error. If the account appears to be under an attack, disable the account. The account name is noted in the Event Viewer event message text. Perform the following procedure using a domain member computer that has domain administrative tools installed.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To disable an account:

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Right-click the object that represents your domain, and then click Find.
  3. In the Find Users, Groups, and Contacts dialog box, in Name, type the name of the user account, and then click Find Now.
  4. The user account should appear in Search results.
  5. Right-click the user account, and then click Disable Account.

Review other entries in Event Viewer to see if you can locate a resource issue (for example, a network, processor, or disk error) that may have prevented the SAM from locking out this account.

Verify

Perform the following procedure using a domain member computer that has domain administrative tools installed.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To verify that there are no unlocked accounts that have exceeded the account lockout threshold for the domain:

  1. Open a command prompt as an administrator on the local computer. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start Menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type dsquery * -filter "(objectCategory=domain)" -attr lockoutThreshold, and then press ENTER. This displays the current account lockout threshold, which is used in the following step.
  3. To ensure that no accounts have exceeded the lockout threshold, type dsquery * -filter "&((objectCategory=user)(badPwdCount>=Tn)(!lockoutTime>=000))" -attr samAccountName, where Tn is the account lockout threshold value from the previous query, and then press ENTER.

If the account lockout threshold is a nonzero positive integer, the query should return no results. If this value is zero, all user account names in the domain are returned.

Account Lockout

Active Directory