Secedit:import

 

Applies To: Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2000, Windows Server 2012, Windows 8

Imports security settings stored in an inf file previously exported from the database configured with security templates. For examples of how this command can be used, see Examples.

Syntax

Secedit /import /db <database file name> /cfg <configuration file name> [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]

Parameters

Parameter

Description

db

Required.

Specifies the path and file name of a database that contains the stored configuration into which the import will be performed.

If file name specifies a database that has not had a security template (as represented by the configuration file) associated with it, the /cfg <configuration file name> command-line option must also be specified.

overwrite

Optional.

Specifies whether the security template in the /cfg parameter should overwrite any template or composite template that is stored in the database instead of appending the results to the stored template.

This command-line option is only valid when the /cfg <configuration file name> parameter is also used. If this is not specified, the template in the /cfg parameter is appended to the stored template.

cfg

Required.

Specifies the path and file name for the security template that will be imported into the database for analysis.

This /cfg option is only valid when used with the /db <database file name> parameter. If this is not specified, the analysis is performed against any configuration already stored in the database.

overwrite

Optional.

Specifies whether the security template in the /cfg parameter should overwrite any template or composite template that is stored in the database instead of appending the results to the stored template.

This command-line option is only valid when the /cfg <configuration file name> parameter is also used. If this is not specified, the template in the /cfg parameter is appended to the stored template.

areas

Optional.

Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:

  • SecurityPolicy

    Local policy and domain policy for the system, including account policies, audit policies, security options, and so on.

  • Group_Mgmt

    Restricted group settings for any groups specified in the security template.

  • User_Rights

    User logon rights and granting of privileges.

  • RegKeys

    Security on local registry keys.

  • FileStore

    Security on local file storage.

  • Services

    Security for all defined services.

log

Optional.

Specifies the path and file name of the log file for the process.

quiet

Optional.

Suppresses screen and log output. You can still view analysis results by using the Security Configuration and Analysis snap-in to the Microsoft Management Console (MMC).

Remarks

Before importing an .inf file onto another computer, run the command secedit /generaterollback on the database on which the import will be performed and secedit /validate on the import file to verify its integrity.

If the path for the log file is not provided, the default log file, (systemroot\Documents and Settings\UserAccount\My Documents\Security\Logs\DatabaseName.log) is used.

In Windows Server 2008, Secedit /refreshpolicy has been replaced with gpupdate. For information on how to refresh security settings, see Gpupdate.

Examples

Export the security database and the domain security policies to an inf file and then import that file to a different database in order to replicate the security policy settings on another computer.

Secedit /export /db C:\Security\FY11\SecDbContoso.sdb /mergedpolicy /cfg NetworkShare\Policies\SecContoso.inf /log C:\Security\FY11\SecAnalysisContosoFY11.log /quiet

Import just the security policies portion of the file to a different database on another computer.

Secedit /import /db C:\Security\FY12\SecDbContoso.sdb /cfg NetworkShare\Policies\SecContoso.inf /areas securitypolicy /log C:\Security\FY11\SecAnalysisContosoFY12.log /quiet

Additional references