0X00000993

0X00000993: Net Logon Service Blocking UAS Operations

Server & Cloud Intermediate 👁 1 views 📅 May 28, 2026

This error means the Net Logon service is blocking a User Account System (UAS) operation. The fix involves stopping or configuring the service to allow legacy administrative actions.

Quick answer: Stop the Net Logon service with net stop NetLogon on the target machine, run your operation, then restart it with net start NetLogon.

I had a client last month whose entire print queue died because of this error. They were running a legacy inventory script that called NetServerEnum, and it kept throwing 0X00000993. The root cause? The Net Logon service was up and enforcing security policies that blocked User Account System (UAS) calls — basically a holdover from NT-style domain management. Modern Windows Server still has this service for backward compatibility with old admin tools, but it restricts operations that look like they're bypassing domain security.

Here’s the deal: if you’re running something like net user on a member server or a domain controller that’s also acting as a standalone machine, the Net Logon service sees the UAS operation as “not permitted” because it expects the domain controller to handle it. Classic case: you’re on a server that’s not a DC but has the service running because it used to be part of a domain.

Fix Steps — The Real Fix

  1. Check if Net Logon is running. Open a command prompt as Administrator and type: 
    sc query Netlogon
    If it says STATE: 4 RUNNING, proceed.
  2. Stop the service temporarily. 
    net stop NetLogon
    You’ll see “The Net Logon service is stopping.” Wait a few seconds.
  3. Run your operation. For example, if it was a script throwing the error, run it now. In my client’s case, their inventory script ran perfectly after this.
  4. Restart the service. 
    net start NetLogon
    Don’t forget this — without it, domain authentication breaks for that machine.

Alternative Fix: Disable via Registry

If you need a permanent solution and the machine doesn’t actually need Net Logon (e.g., it’s a standalone server that was once domain-joined), set the service to disabled:

  1. Open regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon.
  2. Double-click Start, change the value to 4 (disabled).
  3. Reboot or run net stop NetLogon.

Warning: If this machine is still domain-joined, disabling it will break logon authentication. Only do this for servers that are fully isolated or have left the domain.

Alternative Fix: Use Group Policy to Block UAS Calls

If you can’t stop the service (maybe it’s a domain controller itself), you can configure the local security policy to allow these operations. But honestly, that’s a pain. Better option: use nltest to see what’s going on:

nltest /server:YourServer /sc_query

If it shows a broken trust, fix the trust instead of fighting the error.

Prevention Tip

Stop using legacy UAS-based tools. The error 0X00000993 is a red flag that you’re relying on deprecated APIs. Switch to PowerShell with Get-WmiObject or Get-CimInstance for inventory. For account management, use Get-ADUser if you’re on a domain. That error won’t come back if you modernize your arsenal.

Had a client try to run a Visual Basic 6 tool that called NetUserEnum directly — same error. I told them to wrap the call in a service stop/start, but the real fix was rewriting it in PowerShell. They didn’t, and it kept breaking every Patch Tuesday when Windows Update restarted the service.

Bottom line: 0X00000993 is the OS telling you “I’m not your old NT server.” Work around it by stopping the service temporarily, or retire the tool that’s triggering it.

Was this solution helpful?

0X00000993 NERR_InvalidUASOp Net Logon service UAS operation not permitted Windows Server domain controller user account management legacy admin tools NetServerEnum NetUserEnum service configuration registry fix