.png)
Secedit
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Configures and analyzes system security by comparing your current configuration to at least one template.
To view the command syntax, click a command:
-
secedit /analyze
-
secedit /configure
-
secedit /export
-
secedit /import
-
secedit /validate
-
secedit /GenerateRollback
Allows you to analyze the security settings on a computer by comparing them against the baseline settings in a database.
secedit /analyze /db FileName .sdb[/cfgFileName] [/overwrite] [/logFileName] [/quiet]
- /db FileName .sdb
- Specifies the database used to perform the analysis.
- /cfg FileName
- Specifies a security template to import into the database prior to performing the analysis. Security templates are created using the Security Templates snap-in.
- /log FileName
- Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file which is located in the %windir%\security\logs directory.
- /quiet
- Specifies that the analysis process should take place without further comments.
-
You can view the results of the analysis in Security Configuration and Analysis.
Following is an example of how you can use this command:
secedit /analyze /db hisecws.sdb
Configures local computer security by applying the settings stored in a database.
secedit /configure /db FileName[/cfg FileName ] [/overwrite][/areasArea1 Area2 ...] [/logFileName] [/quiet]
- /db FileName
- Specifies the database used to perform the security configuration.
- /cfg FileName
- Specifies a security template to import into the database prior to configuring the computer. Security templates are created using the Security Templates snap-in.
- /overwrite
- Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.
- /areas Area1 Area2 ...
-
Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:
Area name Description SECURITYPOLICY
Includes account policies, audit policies, event log settings, and security options.
GROUP_MGMT
Includes Restricted Group settings
USER_RIGHTS
Includes User Rights Assignment
REGKEYS
Includes Registry Permissions
FILESTORE
Includes File System permissions
SERVICES
Includes System Service settings
- /log FileName
- Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file which is located in the %windir%\security\logs directory.
- /quiet
- Specifies that the configuration process should take place without prompting the user.
Following are examples of how you can use this command:
secedit /configure /db hisecws.sdb /cfg
hisecws.inf /overwrite /log hisecws.log
Allows you to export the security settings stored in the database.
secedit /export[/DBFileName] [/mergedpolicy] [/CFG FileName] [/areasArea1 Area2 ...] [/logFileName] [/quiet]
- /db FileName
- Specifies the database used to configure security.
- /mergedpolicy
- Merges and exports domain and local policy security settings.
- /CFG FileName
- Specifies the template the settings will be exported to.
- /areas Area1 Area2 ...
-
Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space.
Area name Description SECURITYPOLICY
Includes account policies, audit policies, event log settings, and security options.
GROUP_MGMT
Includes Restricted Group settings
USER_RIGHTS
Includes User Rights Assignment
REGKEYS
Includes Registry Permissions
FILESTORE
Includes File System permissions
SERVICES
Includes System Service settings
- /log FileName
- Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.
- /quiet
- Specifies that the configuration process should take place without prompting the user.
Following is an example of how you can use this command:
secedit /export /db hisecws.inf /log hisecws.log
Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.
secedit /import /db FileName .sdb /cfg FileName.inf [/overwrite] [/areasArea1 Area2 ...] [/logFileName] [/quiet]
- /db FileName .sdb
- Specifies the database that the security template settings will be imported into.
- /CFG FileName
- Specifies a security template to import into the database. Security templates are created using the Security Templates snap-in.
- /overwrite FileName
- Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.
- /areas Area1 Area2 ...
-
Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space.
Area name Description SECURITYPOLICY
Includes account policies, audit policies, event log settings, and and security options.
GROUP_MGMT
Includes Restricted Group settings
USER_RIGHTS
Includes User Rights Assignment
REGKEYS
Includes Registry Permissions
FILESTORE
Includes File System permissions
SERVICES
Includes System Service settings
- /log FileName
- Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.
- /quiet
- Specifies that the configuration process should take place without prompting the user.
Following is an example of how you can use this command:
secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite
Validates the syntax of a security template to be imported into a database for analysis or application to a system.
secedit /validate FileName
- FileName
- Specifies the file name of the security template you have created with Security Templates.
Following is an example of how you can use this command:
secedit /validate /cfg filename
Allows you to generate a rollback template with respect to a configuration template. When applying a configuration template to a computer you have the option of creating rollback template which, when applied, resets the security settings to the values before the configuration template was applied.
secedit /GenerateRollback /CFG FileName.inf /RBK SecurityTemplatefilename.inf [/logRollbackFileName.inf] [/quiet]
- /CFG FileName
- Specifies the file name of the security template for which you want to create a rollback template of.
- /RBK FileName
- Specifies the file name of the security template that will be created as the rollback template.
-
secedit /refreshpolicy has been replaced with gpupdate. For information on how to refresh security settings, see Related Topics.
| Format | Meaning |
|---|---|
|
Italic |
Information that the user must supply |
|
Bold |
Elements that the user must type exactly as shown |
|
Ellipsis (...) |
Parameter that can be repeated several times in a command line |
|
Between brackets ([]) |
Optional items |
|
Between braces ({}); choices separated by pipe (|). Example: {even|odd} |
Set of choices from which the user must choose only one |
|
|
Code or program output |
See Also
