Secedit
Updated: January 21, 2005
Configures and analyzes system security by comparing your
current configuration to at least one template.
To view the command syntax, click a command:
secedit /analyze
Allows you to analyze the security settings on a computer by
comparing them against the baseline settings in a database.
Syntax
secedit /analyze/dbFileName.sdb[/cfgFileName]
[/overwrite] [/logFileName] [/quiet]
Parameters
/dbFileName.sdb
Specifies the database used to perform the analysis.
/cfgFileName
Specifies a security template to import into the
database prior to performing the analysis. Security
templates are created using the Security Templates
snap-in.
/logFileName
Specifies a file in which to log the status of the
configuration process. If not specified,
configuration data is logged in the scesrv.log file
which is located in the %windir%\security\logs
directory.
/quiet
Specifies that the analysis process should take
place without further comments.
Remarks
- You can view the results of the analysis in Security Configuration and Analysis
Examples
Following is an example of how you can use this command:
secedit /analyze /db hisecws.sdb
secedit /configure
Configures local computer security by applying the settings
stored in a database.
Syntax
secedit/configure/db FileName[/cfg
FileName ] [/overwrite][/areasArea1 Area2
...] [/logFileName] [/quiet]
Parameters
/dbFileName
Specifies the database used to perform the security
configuration.
/cfgFileName
Specifies a security template to import into the
database prior to configuring the computer. Security
templates are created using the Security Templates
snap-in.
/overwrite
Specifies that the database should be emptied prior
to importing the security template. If this
parameter is not specified, the settings in the
security template are accumulated into the database.
If this parameter is not specified and there are
conflicting settings in the database and the
template being imported, the template settings win.
/areasArea1 Area2 ...
Specifies the security areas to be applied to the
system. If this parameter is not specified, all
security settings defined in the database are
applied to the system. To configure multiple areas,
separate each area by a space. The following
security areas are supported:Area
nameDescriptionSECURITYPOLICYIncludes account
policies, audit policies, event log settings, and
security options.GROUP_MGMTIncludes Restricted Group
settingsUSER_RIGHTSIncludes User Rights
AssignmentREGKEYSIncludes Registry
PermissionsFILESTOREIncludes File System
permissionsSERVICESIncludes System Service settings
/logFileName
Specifies a file in which to log the status of the
configuration process. If not specified,
configuration data is logged in the scesrv.log file
which is located in the %windir%\security\logs
directory.
/quiet
Specifies that the configuration process should take
place without prompting the user.
Examples
Following are examples of how you can use this command:
secedit /configure /db hisecws.sdb /cfg
hisecws.inf /overwrite /log hisecws.log
secedit /export
Allows you to export the security settings stored in the
database.
Syntax
secedit/export[/DBFileName] [/mergedpolicy]
[/CFG FileName] [/areasArea1 Area2 ...]
[/logFileName] [/quiet]
Parameters
/dbFileName
Specifies the database used to configure security.
/mergedpolicy
Merges and exports domain and local policy security
settings.
/CFGFileName
Specifies the template the settings will be exported
to.
/areasArea1 Area2 ...
Specifies the security areas to be exported to a
template. If an area is not specified, all areas are
exported. Each area should be separated by a
space.Area nameDescriptionSECURITYPOLICYIncludes
account policies, audit policies, event log
settings, and security options.GROUP_MGMTIncludes
Restricted Group settingsUSER_RIGHTSIncludes User
Rights AssignmentREGKEYSIncludes Registry
PermissionsFILESTOREIncludes File System
permissionsSERVICESIncludes System Service settings
/logFileName
Specifies a file in which to log the status of the
export process. If not specified, the default is %windir%\security\logs\scesrv.log.
/quiet
Specifies that the configuration process should take
place without prompting the user.
Examples
Following is an example of how you can use this command:
secedit /export /db hisecws.inf /log hisecws.log
secedit /import
Allows you to import a security template into a database so that
the settings specified in the template can be applied to a
system or analyzed against a system.
Syntax
secedit/import/dbFileName.sdb/cfgFileName.inf
[/overwrite] [/areasArea1 Area2 ...] [/logFileName]
[/quiet]
Parameters
/dbFileName.sdb
Specifies the database that the security template
settings will be imported into.
/CFGFileName
Specifies a security template to import into the
database. Security templates are created using the
Security Templates snap-in.
/overwriteFileName
Specifies that the database should be emptied prior
to importing the security template. If this
parameter is not specified, the settings in the
security template are accumulated into the database.
If this parameter is not specified and there are
conflicting settings in the database and the
template being imported, the template settings win.
/areasArea1 Area2 ...
Specifies the security areas to be exported to a
template. If an area is not specified, all areas are
exported. Each area should be separated by a
space.Area nameDescriptionSECURITYPOLICYIncludes
account policies, audit policies, event log
settings, and and security
options.GROUP_MGMTIncludes Restricted Group
settingsUSER_RIGHTSIncludes User Rights
AssignmentREGKEYSIncludes Registry
PermissionsFILESTOREIncludes File System
permissionsSERVICESIncludes System Service settings
/logFileName
Specifies a file in which to log the status of the
export process. If not specified, the default is %windir%\security\logs\scesrv.log.
/quiet
Specifies that the configuration process should take
place without prompting the user.
Examples
Following is an example of how you can use this command:
secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite
secedit /validate
Validates the syntax of a security template to be imported into
a database for analysis or application to a system.
Syntax
secedit /validateFileName
Parameters
FileName
Specifies the file name of the security template you
have created with Security Templates.
Examples
Following is an example of how you can use this command:
secedit /validate /cfg filename
secedit /GenerateRollback
Allows you to generate a rollback template with respect to a
configuration template. When applying a configuration template
to a computer you have the option of creating rollback template
which, when applied, resets the security settings to the values
before the configuration template was applied.
Syntax
secedit /GenerateRollback/CFG FileName.inf /RBK
SecurityTemplatefilename.inf [/logRollbackFileName.inf]
[/quiet]
Parameters
/CFGFileName
Specifies the file name of the security template for
which you want to create a rollback template of.
/RBKFileName
Specifies the file name of the security template
that will be created as the rollback template.
Remarks
- secedit /refreshpolicy has been replaced with gpupdate. For information on how to refresh security settings, see Related Topics.
Formatting legend
| Format | Meaning |
| Italic | Information that the user must supply |
| Bold | Elements that the user must type exactly as shown |
| Ellipsis (...) | Parameter that can be repeated several times in a command line |
| Between brackets ([]) | Optional items |
| Between braces ({}); choices separated by pipe (|). Example: {even|odd} | Set of choices from which the user must choose only one |
| Courier font | Code or program output |