ERROR Event ID 12294 The SAM database was unable to lockout the account

Starting on the 6th of March I started seeing the following error on both of our domain controllers (2008 R2) and I have never seen this before. I have run various virus sweeps and found no issues so far. Replication works okay and nothing else jumps out as being wrong right now. The servers are current in their MS patching (we are a few weeks behind). The odd thing is that it always refers to the same user account (a regular domain user with roaming profile) and no other accounts (no administrator either) have been noted in the error. The hard disks, array, etc. are all good. I checked and (using MS account lockout tool) noted that their account was locked out on both DC and I unlocked it. I tested and it can be locked and unlocked without issues. No user has reported logon issues or random/odd password reset needs.
ERROR Event ID 12294
The SAM database was unable to lockout the account of ojohnson due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

Any thoughts as to what this could be?
Laszlo DenesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
Its usually down to the domain controller being busy at that moment in time. Post on the topic from someone at Microsoft here. Where I usually see this is on companies with under spec'd domain controllers, but it can also happen if a DC gets hit very hard with authentication traffic (example DC's behind a load balancer where all the other pool members go down).
Laszlo DenesAuthor Commented:
The part that concerns me is that it is on both (physical not clustered and no load balancer) DC's and they are the same DC we have used for a few years now and this has never shown up; neither for a single user, nor for more than one user. Also the time it showed up for this one user (and nobody else) is odd as she is not here most of the time when it does this and only for that one user and no other errors (this shows up under SYSTEM log) that explain it. See a screenshot below from both DC (this is seen through Dameware view into Event Viewer).
Untitled.jpg
LearnctxEngineerCommented:
In that case, try disabling the account. This is the recommended practice from Microsoft (see here). See if you are able to successfully disable the account and then work from there. Are you seeing audit failures:

Event ID: 4625 -- Logon failure
Event ID: 4678 (audit failure) -- Kerberos TGT request failure
Event ID: 4679 (audit failure) -- Kerberos ST request failure
Event ID: 4771 -- Kerberos pre-auth failure
Event ID: 4776 (audit failure) -- Ntlm auth failure

Try track down a source. You can also use a tool like Lockout Status from Microsoft (see here) to narrow down which DC (or DC's) are processing the failed logons.

Also try following KB306091 article on troubleshooting this error. Its an old article but still relevant.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Laszlo DenesAuthor Commented:
I see none of those messages on either DC (checked system, security and application logs) pertaining to that user
I can disable the account and re-enable it no issues. The user was also able to change their passwords(Ctrl-Alt-Del) yesterday without issue.
I downloaded the tool and it happens on either/both DC.
I also tested several other account re. typing wrong passwords and they lockout for the duration set and then enable again which is also true for this user.
Naveen SharmaCommented:
Error ID 12294 means there are numerous failure authentication events in security log due to incorrect credentials or could be a virus issue. Get help from below articles:

https://blogs.technet.microsoft.com/mempson/2012/01/13/event-id-12294-woes/
https://support.microsoft.com/en-us/help/962007/virus-alert-about-the-win32-conficker-worm

Audit the successful or failed logon and logoff attempts in the network using the audit policies:
https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
Laszlo DenesAuthor Commented:
Did full scans on both DC and no virus/worm.
Ended up rebooting all systems (W7 switch user enabled) that the user was logged into (inactive background profile) or had logged into and the issue went away.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Laszlo DenesAuthor Commented:
it worked
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.