I regularly get the following event ID in my SBS2011 server event log. I have read and understand this is something or someone trying to access the administrators account. I actually think it's possible that there is a service or process that that uses the administrator account, but is unable to login because the administrator password was changed a while back. Is there anyway to tell from the event what might be trying login using those credentials?
Event ID 12294 Directory-Services-SAM
The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.