Random Account Lockouts

This morning I have had about 5 users complain that their accounts were locked out but they were certain they keyed their passwords in correctly.  Of course being the typical IT guy I figured my end-uses were crazy.  Funny thing was though it happened to me about 10 minutes ago.  I logged onto my PC without any problems this morning.  After logging in I tried to access a file on SharePoint and it told me I didn't have rights.  I went and looked and my account was locked out.

My first step was to look at the event viewers and I noticed an error the was recurring consistently:  EventID 12294.  The SAM database was unable to lockout the account of administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

I checked and my Domain Administrator Account was locked out.  I unlocked it and within about 5 seconds it was locked out again.  Is there anyway to tell what is causing these issues?
Neptune ITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bluntTonyHead of ICTCommented:
Sounds like a possible conficker (or downadup) infection. One symptom of this is random lockout events for no apparent reason.
Update your virus definitions and run some scans. The source of the infection could be attempting to log on to network shares, casuing the lockouts.
There are a number of removal tools available - google 'conficker removal' and follow the steps to detect and repair this sort of infection.
Neptune ITAuthor Commented:
Does Active Directory log where the attempts are coming from by any chance?  This would help me narrow down the source of the problem?
bluntTonyHead of ICTCommented:
Also have a check of your DC security event logs to determine the logon type which is causing the account lockouts. You may also get the source machine from which the bad logons are coming from...
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

bluntTonyHead of ICTCommented:
Look like our posts just crossed :-)
Glen KnightCommented:
You may also want to have a look at this: http://support.microsoft.com/kb/887433
I had an incident recently where Conficker was causing this problem.

There is an MS Patch: http://support.microsoft.com/kb/958644
Also make sure your virus protection is bang upto date and do a full system scan.

We had to use Group Policies to disable Autorun feature, it was also creating tasks in the scheduled task avery hour and they were called A1, A2, A3 etc, again we disabled the task scheduler in Grou Policy until we were able to full disinfect.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Neptune ITAuthor Commented:
What particular type EventID should I be looking for in the DC Security logs?
bluntTonyHead of ICTCommented:
It could at this stage be a number of event IDs. Filter the security log on failure events then look through these.
Check the source computer, and the logon type code. Reference for type codes...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.