Export (0) Print
Expand All
7 out of 9 rated this helpful - Rate this topic

Secedit

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Configures and analyzes system security by comparing your current configuration to at least one template.

To view the command syntax, click a command:

Allows you to analyze the security settings on a computer by comparing them against the baseline settings in a database.

secedit /analyze /db FileName .sdb[/cfgFileName] [/overwrite] [/logFileName] [/quiet]

/db FileName .sdb
Specifies the database used to perform the analysis.

/cfg FileName
Specifies a security template to import into the database prior to performing the analysis. Security templates are created using the Security Templates snap-in.

/log FileName
Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file which is located in the %windir%\security\logs directory.

/quiet
Specifies that the analysis process should take place without further comments.

Following is an example of how you can use this command:

secedit /analyze /db hisecws.sdb

Configures local computer security by applying the settings stored in a database.

secedit /configure /db FileName[/cfg FileName ] [/overwrite][/areasArea1 Area2 ...] [/logFileName] [/quiet]

/db FileName
Specifies the database used to perform the security configuration.

/cfg FileName
Specifies a security template to import into the database prior to configuring the computer. Security templates are created using the Security Templates snap-in.

/overwrite
Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.

/areas Area1 Area2 ...
Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:

 

Area name Description

SECURITYPOLICY

Includes account policies, audit policies, event log settings, and security options.

GROUP_MGMT

Includes Restricted Group settings

USER_RIGHTS

Includes User Rights Assignment

REGKEYS

Includes Registry Permissions

FILESTORE

Includes File System permissions

SERVICES

Includes System Service settings

/log FileName
Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file which is located in the %windir%\security\logs directory.

/quiet
Specifies that the configuration process should take place without prompting the user.

Following are examples of how you can use this command:

secedit /configure /db hisecws.sdb /cfg

hisecws.inf /overwrite /log hisecws.log

Allows you to export the security settings stored in the database.

secedit /export[/DBFileName] [/mergedpolicy] [/CFG FileName] [/areasArea1 Area2 ...] [/logFileName] [/quiet]

/db FileName
Specifies the database used to configure security.

/mergedpolicy
Merges and exports domain and local policy security settings.

/CFG FileName
Specifies the template the settings will be exported to.

/areas Area1 Area2 ...
Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space.

 

Area name Description

SECURITYPOLICY

Includes account policies, audit policies, event log settings, and security options.

GROUP_MGMT

Includes Restricted Group settings

USER_RIGHTS

Includes User Rights Assignment

REGKEYS

Includes Registry Permissions

FILESTORE

Includes File System permissions

SERVICES

Includes System Service settings

/log FileName
Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.

/quiet
Specifies that the configuration process should take place without prompting the user.

Following is an example of how you can use this command:

secedit /export /db hisecws.inf /log hisecws.log

Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.

secedit /import /db FileName .sdb /cfg FileName.inf [/overwrite] [/areasArea1 Area2 ...] [/logFileName] [/quiet]

/db FileName .sdb
Specifies the database that the security template settings will be imported into.

/CFG FileName
Specifies a security template to import into the database. Security templates are created using the Security Templates snap-in.

/overwrite FileName
Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.

/areas Area1 Area2 ...
Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space.

 

Area name Description

SECURITYPOLICY

Includes account policies, audit policies, event log settings, and and security options.

GROUP_MGMT

Includes Restricted Group settings

USER_RIGHTS

Includes User Rights Assignment

REGKEYS

Includes Registry Permissions

FILESTORE

Includes File System permissions

SERVICES

Includes System Service settings

/log FileName
Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.

/quiet
Specifies that the configuration process should take place without prompting the user.

Following is an example of how you can use this command:

secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite

Validates the syntax of a security template to be imported into a database for analysis or application to a system.

secedit /validate FileName

FileName
Specifies the file name of the security template you have created with Security Templates.

Following is an example of how you can use this command:

secedit /validate /cfg filename

Allows you to generate a rollback template with respect to a configuration template. When applying a configuration template to a computer you have the option of creating rollback template which, when applied, resets the security settings to the values before the configuration template was applied.

secedit /GenerateRollback /CFG FileName.inf /RBK SecurityTemplatefilename.inf [/logRollbackFileName.inf] [/quiet]

/CFG FileName
Specifies the file name of the security template for which you want to create a rollback template of.

/RBK FileName
Specifies the file name of the security template that will be created as the rollback template.

  • secedit /refreshpolicy has been replaced with gpupdate. For information on how to refresh security settings, see Related Topics.

 

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

Show:
© 2014 Microsoft. All rights reserved.