Getting this a couple times/day in the event log of our DCs (Windows 2000
native mode AD):

The SAM database was unable to lockout the account of ? due to a resource
error, such as a hard disk write failure (the specific error code is in the
error data) . Accounts are locked after a certain number of bad passwords
are provided so please consider resetting the password of the account
mentioned above.

Anybody seen this before??

Blake

On Fri, 6 Aug 2004 15:05:44 -0400, "Blake"
wrote:

>Getting this a couple times/day in the event log of our DCs (Windows 2000
>native mode AD):
>
>The SAM database was unable to lockout the account of ? due to a resource
>error, such as a hard disk write failure (the specific error code is in the
>error data) . Accounts are locked after a certain number of bad passwords
>are provided so please consider resetting the password of the account
>mentioned above.
>
>Anybody seen this before??
>
>Blake
>
This could be an attack. See tip 7144 » How do I use the EventCombMT tool to
search multiple computers for account lockout events?
in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

Blake, I would consider the fact that it could be someone attempting to
guess a user account password. Since it is only a couple of times a day
that would not be my first guess. If you dont already, enable auditing on
logon events success and failures. This might help provide further info in
the security event log about which DC is attempting the authentication and
the user account.
My inital reaction would be that you have a user account that the password
has been changed on and you still have either a service or TS session that
is attempting to authenticate with the old password.



--
James Brandt [MSFT]


"Blake" wrote in message
news:%23EVeQj%23eEHA.1724@TK2MSFTNGP10.phx.gbl...
> Getting this a couple times/day in the event log of our DCs (Windows 2000
> native mode AD):
>
> The SAM database was unable to lockout the account of ? due to a resource
> error, such as a hard disk write failure (the specific error code is in
> the error data) . Accounts are locked after a certain number of bad
> passwords are provided so please consider resetting the password of the
> account mentioned above.
>
> Anybody seen this before??
>
> Blake
>

I can understand the inclination that this is a password guess attempt, but
the frequency of these logs makes that unlikely.

I am just worried that this is a problem with the AD itself. It could be a
service trying to log on...

wrote in message
news:eUqcNLlfEHA.596@TK2MSFTNGP11.phx.gbl...
> Blake, I would consider the fact that it could be someone attempting to
> guess a user account password. Since it is only a couple of times a day
> that would not be my first guess. If you dont already, enable auditing on
> logon events success and failures. This might help provide further info
> in the security event log about which DC is attempting the authentication
> and the user account.
> My inital reaction would be that you have a user account that the password
> has been changed on and you still have either a service or TS session that
> is attempting to authenticate with the old password.
>
>
>
> --
> James Brandt [MSFT]
>
>
> "Blake" wrote in message
> news:%23EVeQj%23eEHA.1724@TK2MSFTNGP10.phx.gbl...
>> Getting this a couple times/day in the event log of our DCs (Windows 2000
>> native mode AD):
>>
>> The SAM database was unable to lockout the account of ? due to a resource
>> error, such as a hard disk write failure (the specific error code is in
>> the error data) . Accounts are locked after a certain number of bad
>> passwords are provided so please consider resetting the password of the
>> account mentioned above.
>>
>> Anybody seen this before??
>>
>> Blake
>>
>
>

Hi Blake.

Have you seen the KB below that mentions AD collisions as a possibility? I have not
seen it myself, so can not offer much more as far as a solution but I thought you
might be interested in the KB. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;306091

"Blake" wrote in message
news:O2foZfwfEHA.3544@TK2MSFTNGP10.phx.gbl...
> I can understand the inclination that this is a password guess attempt, but
> the frequency of these logs makes that unlikely.
>
> I am just worried that this is a problem with the AD itself. It could be a
> service trying to log on...
>
> wrote in message
> news:eUqcNLlfEHA.596@TK2MSFTNGP11.phx.gbl...
> > Blake, I would consider the fact that it could be someone attempting to
> > guess a user account password. Since it is only a couple of times a day
> > that would not be my first guess. If you dont already, enable auditing on
> > logon events success and failures. This might help provide further info
> > in the security event log about which DC is attempting the authentication
> > and the user account.
> > My inital reaction would be that you have a user account that the password
> > has been changed on and you still have either a service or TS session that
> > is attempting to authenticate with the old password.
> >
> >
> >
> > --
> > James Brandt [MSFT]
> >
> >
> > "Blake" wrote in message
> > news:%23EVeQj%23eEHA.1724@TK2MSFTNGP10.phx.gbl...
> >> Getting this a couple times/day in the event log of our DCs (Windows 2000
> >> native mode AD):
> >>
> >> The SAM database was unable to lockout the account of ? due to a resource
> >> error, such as a hard disk write failure (the specific error code is in
> >> the error data) . Accounts are locked after a certain number of bad
> >> passwords are provided so please consider resetting the password of the
> >> account mentioned above.
> >>
> >> Anybody seen this before??
> >>
> >> Blake
> >>
> >
> >
>
>

Thanks Steve. I have seen that KB article, and I AM getting the error data:

0xc00002a5

It just makes me nervous that this has started in the past few weeks and we
haven't done anything significant to our AD (such as adding a DC).
Everything here is local, we have 2 DCs on our domain. Nothing fancy.
Thanks again

Blake

"Steven L Umbach" wrote in message
news:YY8Sc.104464$8_6.16220@attbi_s04...
> Hi Blake.
>
> Have you seen the KB below that mentions AD collisions as a possibility? I
> have not
> seen it myself, so can not offer much more as far as a solution but I
> thought you
> might be interested in the KB. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;306091
>
> "Blake" wrote in message
> news:O2foZfwfEHA.3544@TK2MSFTNGP10.phx.gbl...
>> I can understand the inclination that this is a password guess attempt,
>> but
>> the frequency of these logs makes that unlikely.
>>
>> I am just worried that this is a problem with the AD itself. It could be
>> a
>> service trying to log on...
>>
>> wrote in message
>> news:eUqcNLlfEHA.596@TK2MSFTNGP11.phx.gbl...
>> > Blake, I would consider the fact that it could be someone attempting to
>> > guess a user account password. Since it is only a couple of times a
>> > day
>> > that would not be my first guess. If you dont already, enable auditing
>> > on
>> > logon events success and failures. This might help provide further
>> > info
>> > in the security event log about which DC is attempting the
>> > authentication
>> > and the user account.
>> > My inital reaction would be that you have a user account that the
>> > password
>> > has been changed on and you still have either a service or TS session
>> > that
>> > is attempting to authenticate with the old password.
>> >
>> >
>> >
>> > --
>> > James Brandt [MSFT]
>> >
>> >
>> > "Blake" wrote in message
>> > news:%23EVeQj%23eEHA.1724@TK2MSFTNGP10.phx.gbl...
>> >> Getting this a couple times/day in the event log of our DCs (Windows
>> >> 2000
>> >> native mode AD):
>> >>
>> >> The SAM database was unable to lockout the account of ? due to a
>> >> resource
>> >> error, such as a hard disk write failure (the specific error code is
>> >> in
>> >> the error data) . Accounts are locked after a certain number of bad
>> >> passwords are provided so please consider resetting the password of
>> >> the
>> >> account mentioned above.
>> >>
>> >> Anybody seen this before??
>> >>
>> >> Blake
>> >>
>> >
>> >
>>
>>
>
>