What's the event ID number? Is it 12294? Are there any other associated events listed at the same time? Look for 1083, 1955 in the File Replication log indicating replication conflicts. What's your domain/forest functional level at? Do you have any corresponding 680's or 539's/644's indicating failed logins/account lockouts for the accounts that are locking out that might provide additional information? What about the possibility of an infected PC on your network?
Thanks, James Winzenz Infrastructure Systems Engineer II - Security Pulte Homes Information Services -----Original Message----- From: Kennedy, Jim [mailto:[email protected]] Sent: Tuesday, March 10, 2009 8:53 AM To: NT System Admin Issues Subject: Account lockouts I am getting hammered with these in the event log: The SAM database was unable to lockout the account of USERNAME due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above. And accounts are getting locked out left and right, others are not. I have reset the passwords on some of them and disabled/enabled and they still remain locked out. At first glance you/I might think a dictionary attack, but it feels more like Kerberos blowing up....... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
