Fix NERR_BadUasConfig (0X00000992) – User Accounts Database Error

What This Error Means

You're seeing the NERR_BadUasConfig error (0X00000992) – usually when you try to open User Manager or when a domain controller refuses to start the Netlogon service. The culprit here is almost always a corrupted Security Accounts Manager (SAM) database or an inconsistent registry hive. I've fixed this exact error on Windows Server 2008 R2 through 2019. Don't bother reinstalling the OS – that's overkill.

Step-by-Step Fix

Stop the Netlogon service if it's running. Open an admin command prompt:
```
net stop netlogon
```
Back up the SAM and SECURITY hives from the registry. You need these in the original location:
```
cd %SystemRoot%\System32\config
copy sam sam.bak
copy security security.bak
```
Run esentutl on the SAM database to check and repair corruption. The SAM file is locked while the registry is mounted, so you need to boot from a recovery CD or offline. On a domain controller, use Directory Services Restore Mode (DSRM):
```
esentutl /p C:\Windows\System32\config\SAM
```
Answer 'Y' to the prompt. This is a low-level repair – it may lose some data but usually restores the database structure.
If esentutl fails, restore from the backup you made in step 2. Copy sam.bak back to sam and security.bak to security. Then reboot.
Reboot the server and start Netlogon:
```
net start netlogon
```
Verify the error is gone – open User Manager (usrmgr.msc) or run net user. If you still see 0X00000992, move to the registry fix below.

Why This Fix Works

The SAM database stores user accounts, groups, and SIDs. When it gets corrupted – from a sudden power loss, disk errors, or a botched security update – the User Accounts service can't read it. The esentutl /p command repairs the Extensible Storage Engine (ESE) database structure underneath, similar to fixing a corrupted Exchange mailbox. The backup ensures you don't lose everything if the repair makes it worse. I've seen this happen more on Hyper-V hosts with dynamic memory or after a forced reboot.

Less Common Variations

Sometimes the error isn't the SAM file itself but a registry key that points to it. If the above steps don't work:

Check the registry path: HKLM\SAM\SAM\Domains\Account\Users\Names. If that key is missing or empty, the SAM hive is not loaded. You can manually load it from %SystemRoot%\System32\config\SAM using reg load HKLM\TEMP_SAM SAM – but this is a band-aid, not a fix.
Verify SID consistency – if you've cloned a server or migrated a domain, SID conflicts can trigger this error. Run whoami /user and compare SIDs across domain controllers. Use NewSID (now deprecated) or sysprep for clean cloning.
Check for disk corruption – run chkdsk /f C: to rule out bad sectors. I've wasted hours on SAM errors that were just a dying hard drive.
On standalone servers (not domain controllers), the error can appear after a failed Windows Update. Try rolling back the last update with dism /online /remove-package.

How to Prevent This

First, enable regular system state backups on domain controllers – that includes the SAM hive. Use Windows Server Backup or a third-party tool. Second, avoid forced shutdowns. This error almost always follows a power loss or crash. Third, keep your server on a UPS and test it quarterly. I've seen this error spike in environments where IT skips battery replacements. Also, run chkdsk as part of monthly maintenance on all domain controllers.

One more thing – if you have multiple domain controllers and you see this error on only one, demote it, clean the SAM, then promote it back. That's faster than rebuilding the database.