I came across this great error today at a customer site:
Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12294
Time: 9:42:55 AM
The SAM database was unable to lockout the account of ? due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
After some research, I found that the SAM 12294 events appear, if the domain controller receive numerous failure authentication requests for the account in the same time (the common reason is worm virus or third-party software). Since the domain controller is busy to update the account lockout threshold, doesn’t have enough disk resource to set the account as locked out, then generate the SAM 12294 events. When the domain controller has the enough resource, the account will be locked out if we configured Account Lockout policy. As it turned out in this instance, it was just an application with the wrong credentials.