Reapply default security settings

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To reapply default security settings

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Open Security Configuration and Analysis.

  2. In the console tree, right-click Security Configuration and Analysis, and then click Open Database.

    Where?

    • ConsoleRoot/Security Configuration and Analysis

  3. In File name, type the file name, and then click Open.

  4. Do one of the following:

    • For a domain controller, in the console tree, right-click Security Configuration and Analysis, click Import Template, and then click DC security.

    • For other computers, in the console tree, right-click Security Configuration and Analysis, click Import Template, and then click setup security.

  5. Select the Clear this database before importing check box, and then click Open.

  6. In the console tree, right-click Security Configuration and Analysis, and then click Configure Computer Now.

  7. Do one of the following:

    • To use the default log specified in Error log file path, click OK.

    • To specify a different log, in Error log file path, type a valid path and file name, and then click OK.

  8. When the configuration is done, right-click Security Configuration and Analysis, and then click View Log File.

Important

  • Applying the entire setup security template is a drastic measure that should be avoided. Instead, use the secedit command-line tool to apply default settings for specific areas. See the Using a command line section of this procedure.

Notes

  • Different permissions are required to perform this procedure, depending on the environment in which you reapply default security settings:

    • If you reapply default security settings to your local computer: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

    • If you reapply default security settings to a computer that is joined to a domain: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Security Configuration and Analysis, click Start, click Run, type mmc, and then click OK. On the File menu, click Open, click the console that you want to open, and then click Open. In the console tree, click Security Configuration and Analysis.

  • The default path for the log file is:

    systemroot\Documents and Settings\UserAccount\My Documents\Security\Logs\

  • When you reapply default security settings, all settings that are defined in Setup security.inf are set as the template specifies, but other settings that are not defined in the template may persist. For more information, see Applying security settings.

Using a command line

  • Open Command Prompt.

  • For a server or workstation, type:

    secedit/configure/DBFileName**/CFG** "%windir%\Security\Templates\Setup security.inf" [/overwrite][/areas Area1 Area2...] [/log LogPath] [/quiet]

    For a domain controller, type:

    secedit/configure/DBFileName**/CFG** "%windir%\Security\Templates\DC security.inf" [/overwrite][/areas Area1 Area2...] [/log LogPath] [/quiet]

Argument Description

/DBFileName

Required. Provides the path to a database that contains the security template that should be applied. To create a new database, type the database file name and path.

/CFG "%windir%\Security\Templates\Setup security.inf"

Specifies the Setup Security.inf template that contains the default security settings.

/overwrite

Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.

/areasArea1 Area2

Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:

SECURITYPOLICY - Includes account policies, audit policies, event log settings, and security options.

GROUP_MGMT - Includes Restricted Group settings.

USER_RIGHTS - Includes user rights assignment.

REGKEYS - Includes registry permissions.

FILESTORE - Includes file system permissions.

SERVICES - Includes System Service settings.

/logLogPath

Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the Scesrv.log file, which is located in the %windir%\Security\Logs folder.

/quiet

Specifies that the configuration process should take place without prompting the user.

Important

  • It is advisable to apply Setup security in parts using the Areas parameter, so you can have control over which parts you are restoring.

Notes

  • Different permissions are required to perform this procedure, depending on the environment in which you reapply default security settings:

    • If you reapply default security settings to your local computer: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

    • If you reapply default security settings to a computer that is joined to a domain: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • To view the complete syntax for this command, at a command prompt, type:

    secedit /?

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Automating security configuration tasks
Command-line reference A-Z