Security Settings Extension Tools and Settings

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In this subject

  • Resultant Set of Policies

  • Command Line Tools

  • Security Settings Policies

  • Related Information

This section presents an overview of Resultant Set of Policies (RSoP), which you use to determine which policy settings are currently in effect for a computer or user, and to assess how policy settings would affect computers or users if a specific Group Policy object were applied to them. It also describes the Windows Server 2003 command-line tools for configuring and analyzing security settings.

Resultant Set of Policies

Windows XP and the Windows Server 2003 family of operating systems support an enhanced Group Policy infrastructure that utilizes Windows Management Instrumentation (WMI) to collect Group Policy-related data for planning and troubleshooting Group Policy. This structure is the Resultant Set of Policy (RSoP), a query engine that polls existing policy settings and planned policy settings, and then reports the results of those queries. RSoP polls existing policies based on site, domain, domain controller, and organizational unit. RSoP gathers this information from the Common Information Management Object Model (CIMOM) database (also known as the CIM-compliant object repository) by using WMI. Administrators can use RSoP in one of two modes. To determine which policy settings are in effect for a particular computer or user, administrators use Resultant Set of Policy – Logging Mode, and to evaluate how policy settings would affect a computer or user if a specific Group Policy object were applied to users or computers, they use Resultant Set of Policy – Planning Mode.

In Windows Server 2003, you can use the Group Policy Results node Group Policy Management Console (GPMC) to access the Resultant Set of Policy – Logging Mode capabilities. Group Policy Results represents the actual resultant set of policy that was applied to a given user and computer. This information is obtained by directly querying the target user/computer. Each sub-node represents a different RSoP query for a given user/computer combination. The Group Policy Modeling node in GPMC allows administrators to access the Resultant Set of Policy – Planning Mode capabilities of Windows Server 2003.

Note

  • As with other Group Policy settings, you must fully test your implementation in a test domain before you deploy your security settings to your production environment.

Some of the security settings extensions of Group Policy provide RSoP classes to represent data pertaining to security policy settings. The Security Policy RSoP Classes section, later in this document, lists the RSoP classes for security policy settings.

On Windows 2000 computers, you can use the Gpresults.exe tool to display information about how Group Policy affects both the currently logged-on user and the computer. For information about the Gpresults syntax, see “IPSec Policy Extension Tools and Settings” in this collection.

The Gpresults command-line tool is available in the Windows 2000 Resource Kit. To download this tool, see the download site for Windows 2000 Server Resource Kit tools.

For more detailed information about RSoP and WMI and to download SDKs, see the Microsoft Platform SDK link on the Web Resources page.

For more information about GPMC, see the Group Policy Management Console link on the Web Resources page.

Security Policy RSoP Classes

The RSoP Windows Management Instrumentation (WMI) Method Provider supports the following security policy classes, as listed in the following table.

Security Policy RSoP Classes

Class Description

RSOP_AuditPolicy

This class represents the security setting for a local Group Policy that relates to the auditing of an event type. Events can include, among others, system events and account management events.

RSOP_File

This class represents a security policy setting that defines the access permissions and audit settings for a securable file system object.

RSOP_RegistryKey

This class represents a security policy setting that defines the access permissions and audit settings for a particular registry key.

RSOP_RegistryValue

This class represents specific security-related registry values.

RSOP_RestrictedGroup

This class represents a security policy setting that defines the members of a restricted (security-sensitive) group.

RSOP_SecurityEventLogSettingBoolean

This class represents a security policy setting that determines whether or not guests can access the system, application and security event logs.

RSOP_SecurityEventLogSettingNumeric

This class represents a security policy setting that determines numeric properties related to the system, application and security event logs. Properties include the number of days to retain entries and maximum log size.

RSOP_SecuritySettingBoolean

This class represents the Boolean security setting for an account policy. Account policies include password policies and account lockout policies.

RSOP_SecuritySettingNumeric

This class represents the numeric security setting for an account policy. Account policies include password policies, account lockout policies, and Kerberos-related policies.

RSOP_SecuritySettings

This is the abstract class from which other RSoP security classes derive. Instances of this class are not logged. RSOP_SecuritySettings derives from the RSOP_PolicySetting class.

RSOP_SecuritySettingString

This class represents the string security setting for an account policy.

RSOP_SystemService

This class represents the security policy setting that defines the start-up mode and access permissions for a particular system service.

RSOP_UserPrivilegeRight

This class represents the security setting for a local Group Policy that relates to the assignment of a particular user privilege.

RSOP_PolicySetting

The RSOP_PolicySetting WMI class is the class from which policy objects for client-side extensions are inherited. An instance of this class corresponds to a specific policy setting. This class was added for Windows XP.

Requirements for this class are as follows:

  • Client: Included in Windows XP Professional.

  • Server: Included in Windows Server 2003.

Command Line Tools

This section describes the Windows Server 2003 command line tools for configuring, analyzing, and updating security settings:

  • Secedit.exe

  • Gpupdate.exe

Secedit.exe

You can use the secedit.exe command to configure and analyze system security by comparing your current configuration to at least one template.

Note

  • Secedit /refreshpolicy has been replaced with gpupdate. To refresh local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings, use gpudate. See “Gpupdate,” later in this section.

Secedit supports the following commands:

  • analyze

  • configure

  • export

  • import

  • validate

  • generateRollback

Secedit /analyze

This command allows you to analyze the security settings on a computer by comparing them against the baseline settings in a database. You can view the results of the analysis in the Security Configuration and Analysissnap-in.

Syntax

secedit /analyze /dbFileName.sdb [/cfgFileName] [/overwrite] [/logFileName] [/quiet]

Parameters

/dbFileName**.sdb**

This parameter specifies the database used to perform the analysis.

/cfgFileName

This parameter specifies a security template to import into the database prior to performing the analysis. Security templates are created using the Security Templates snap-in.

/logFileName

This parameter specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file which is located in the %windir%\security\logs directory.

/quiet

This parameter specifies that the analysis process should take place without further comments.

Examples

The following is an example of how you can use this command:

secedit /analyze /db hisecws.sdb

Secedit /configure

You can use secedit /configure to configure local computer security by applying the settings stored in a database.

Syntax

secedit/configure/db FileName [/cfg FileName ] [/overwrite][/areasArea1 Area2 ...] [/logFileName] [/quiet]

Parameters

/dbFileName

This parameter specifies the database used to perform the security configuration.

/cfgFileName

This parameter specifies a security template to import into the database prior to configuring the computer. Security templates are created using the Security Templates snap-in.

/overwrite

This parameter specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated in the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings take precedence.

/areasArea1Area2

This parameter specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:

Area name Description

SECURITYPOLICY

This includes Account Policies, Audit Policy, Event Log settings, and Security Options.

GROUP_MGMT

This includes Restricted Groups settings.

USER_RIGHTS

This includes User Rights Assignment.

REGKEYS

This includes Registry permissions.

FILESTORE

This includes File System permissions.

SERVICES

This includes System Services settings.

/logFileName

This parameter specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file, which is located in the %windir%\security\logs directory.

/quiet

This parameter specifies that the configuration process should take place without prompting the user.

Examples

The following are examples of how you can use this command:

secedit/configure /db hisecws.sdb**/cfg**FileName

hisecws.inf/overwrite/loghisecws.log

If dbFileName (database filename) doesn’s exist, secedit creates a new database using the settings in cfgFileName (template filename) and applies the configuration. If dbFileName exists, then secedit merges the settings into the database before applying the newly merged configuration. If you omit cfgFileName, secedit applies the configuration using the settings already stored in the database.

Secedit /export

Running secedit /export allows you to export the security settings stored in the database.

Syntax

secedit/export [/DBFileName] [/mergedpolicy] [/CFG FileName] [/areasArea1 Area2 ...] [/logFileName] [/quiet]

Parameters

/dbFileName

This parameter specifies the database used to configure security.

/mergedpolicy

This parameter merges and exports domain and local policy security settings.

/CFGFileName

This parameter specifies the template the settings will be exported to.

/areasArea1 Area2

This parameter specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space. The following table lists the security areas that can be exported.

Security Areas and Descriptions

Area name Description

SECURITYPOLICY

This includes Account Policies, Audit Policy, Event Log settings, and Security Options.

GROUP_MGMT

This includes Restricted Groups settings.

USER_RIGHTS

This includes User Rights Assignment.

REGKEYS

This includes Registry permissions.

FILESTORE

This includes File System permissions.

SERVICES

This includes System Services settings.

/logFileName

This parameter specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.

/quiet

This parameter specifies that the configuration process should take place without prompting the user.

Examples

The following is an example of how you can use this command:

secedit /export /db hisecws.inf /log hisecws.log

Secedit /import

Running secedit /import allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.

Syntax

secedit/import/dbFileName.sdb/cfgFileName.inf [/overwrite] [/areasArea1 Area2 ...] [/logFileName] [/quiet]

Parameters

/dbFileName**.sdb**

This parameter specifies the database to which the security template settings will be imported.

/CFGFileName

This parameter specifies a security template to import into the database. Security templates are created using the Security Templates snap-in.

/overwriteFileName

This parameter specifies that the database contents should be cleared prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated in the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings take precedence.

/areasArea1 Area2

This parameter specifies the security areas to be exported to a template, as listed in the following table. If an area is not specified, all areas are exported. Each area should be separated by a space.

Area name Description

SECURITYPOLICY

This includes Account Policies, Audit Policy, Event Log settings, and Security Options.

GROUP_MGMT

This includes Restricted Groups settings.

USER_RIGHTS

This includes User Rights Assignment.

REGKEYS

This includes Registry permissions.

FILESTORE

This includes File System permissions.

SERVICES

This includes System Services settings.

/logFileName

This parameter specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.

/quiet

This parameter specifies that the configuration process should take place without prompting the user.

Examples

The following is an example of how you can use this command:

secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite

Secedit /validate

You can use secedit /validate to validate the syntax of a security template to be imported into a database for analysis or application to a system.

Syntax

secedit/validate FileName

Parameters

FileName

This parameter specifies the file name of the security template you have created with Security Templates.

Examples

The following is an example of how you can use this command:

secedit /validate /cfg filename

Secedit /GenerateRollback

You can run secedit / GenerateRollback to generate a rollback template with respect to a configuration template. When applying a configuration template to a computer you have the option of creating rollback template which, when applied, resets the security settings to the values before the configuration template was applied.

Syntax

secedit /GenerateRollback/CFG FileName.inf /RBK SecurityTemplatefilename.inf [/logRollbackFileName.inf] [/quiet]

Parameters

/CFGFileName

This parameter specifies the file name of the security template for which you want to create a rollback template of.

/RBK FileName

This parameter specifies the file name of the security template that will be created as the rollback template.

Gpupdate

You can use gpupdate to refresh local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings. This command supersedes the now obsolete /refreshpolicy option for the secedit command.

Syntax

gpupdate [/target:{computer | user}] [/force] [/wait:Value] [/logoff] [/boot]

Parameters

/target:{computer | user}

This parameter specifies to processes only the Computer settings or the current User settings. By default, both the computer settings and the user settings are processed.

/force

Using this parameter ignores all processing optimizations and reapplies all settings.

/wait:Value

Indicates the number of seconds that policy processing must wait to finish. The default is 90 minutes with a randomized delay of up to 30 minutes — for a total maximum refresh interval of up to 120 minutes. 0 equals no wait, and -1 equals wait indefinitely.

/logoff

This parameter specifies that a user log off occurs after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the user logs on, such as user Group Policy Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require the user to log off.

/boot

Using this parameter restarts the computer after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the computer starts up, such as computer Group Policy Software Installation. This option has no effect if there are no extensions called that require the computer to be restarted.

/?

Using this parameter displays help at the command prompt.

Examples

The following examples show how you can use the gpupdate command:

  • gpupdate

    This command triggers a Group Policy refresh.

  • gpupdate /target:computer

    This command triggers a Group Policy refresh of the Computer Settings policies only.

  • gpupdate /force /wait:100

    This command triggers a Group Policy refresh, reapplies all policy settings, and indicates to wait 100 seconds for policy to finish processing.

  • gpupdate /boot

    This command triggers a Group Policy refresh and then causes the computer to restart.

Security Settings Policies

Security Settings include policy settings to control the following aspects of security:

  • Account Policies

  • Local Policies

  • Event Log

  • Restricted Groups

  • System Services

  • Registry

  • File System

For a description of all security settings policies, see“Security Policy Settings” in the Security Collection.

The following resources contain additional information that is relevant to this section.