Share via


Secedit

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Secedit

Configures and analyzes system security by comparing your current configuration to at least one template.

To view the command syntax, click a command:

  • secedit /analyze

  • secedit /configure

  • secedit /export

  • secedit /import

  • secedit /validate

  • secedit /GenerateRollback

secedit /analyze

Allows you to analyze the security settings on a computer by comparing them against the baseline settings in a database.

Syntax

secedit /analyze /db FileName .sdb[/cfgFileName] [/overwrite] [/logFileName] [/quiet]

Parameters

  • /db FileName .sdb
    Specifies the database used to perform the analysis.
  • /cfg FileName
    Specifies a security template to import into the database prior to performing the analysis. Security templates are created using the Security Templates snap-in.
  • /log FileName
    Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file which is located in the %windir%\security\logs directory.
  • /quiet
    Specifies that the analysis process should take place without further comments.

Remarks

Examples

Following is an example of how you can use this command:

secedit /analyze /db hisecws.sdb

secedit /configure

Configures local computer security by applying the settings stored in a database.

Syntax

secedit /configure /db FileName[/cfg FileName ] [/overwrite][/areasArea1 Area2 ...] [/logFileName] [/quiet]

Parameters

  • /db FileName
    Specifies the database used to perform the security configuration.
  • /cfg FileName
    Specifies a security template to import into the database prior to configuring the computer. Security templates are created using the Security Templates snap-in.
  • /overwrite
    Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.
  • /areas Area1 Area2 ...
    Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:
<table>
<colgroup>
<col style="width: 50%" />
<col style="width: 50%" />
</colgroup>
<thead>
<tr class="header">
<th>Area name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>SECURITYPOLICY</p></td>
<td><p>Includes account policies, audit policies, event log settings, and security options.</p></td>
</tr>
<tr class="even">
<td><p>GROUP_MGMT</p></td>
<td><p>Includes Restricted Group settings</p></td>
</tr>
<tr class="odd">
<td><p>USER_RIGHTS</p></td>
<td><p>Includes User Rights Assignment</p></td>
</tr>
<tr class="even">
<td><p>REGKEYS</p></td>
<td><p>Includes Registry Permissions</p></td>
</tr>
<tr class="odd">
<td><p>FILESTORE</p></td>
<td><p>Includes File System permissions</p></td>
</tr>
<tr class="even">
<td><p>SERVICES</p></td>
<td><p>Includes System Service settings</p></td>
</tr>
</tbody>
</table>
  • /log FileName
    Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file which is located in the %windir%\security\logs directory.
  • /quiet
    Specifies that the configuration process should take place without prompting the user.

Examples

Following are examples of how you can use this command:

secedit /configure /db hisecws.sdb /cfg

hisecws.inf /overwrite /log hisecws.log

secedit /export

Allows you to export the security settings stored in the database.

Syntax

secedit /export[/DBFileName] [/mergedpolicy] [/CFG FileName] [/areasArea1 Area2 ...] [/logFileName] [/quiet]

Parameters

  • /db FileName
    Specifies the database used to configure security.
  • /mergedpolicy
    Merges and exports domain and local policy security settings.
  • /CFG FileName
    Specifies the template the settings will be exported to.
  • /areas Area1 Area2 ...
    Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space.
<table>
<colgroup>
<col style="width: 50%" />
<col style="width: 50%" />
</colgroup>
<thead>
<tr class="header">
<th>Area name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>SECURITYPOLICY</p></td>
<td><p>Includes account policies, audit policies, event log settings, and security options.</p></td>
</tr>
<tr class="even">
<td><p>GROUP_MGMT</p></td>
<td><p>Includes Restricted Group settings</p></td>
</tr>
<tr class="odd">
<td><p>USER_RIGHTS</p></td>
<td><p>Includes User Rights Assignment</p></td>
</tr>
<tr class="even">
<td><p>REGKEYS</p></td>
<td><p>Includes Registry Permissions</p></td>
</tr>
<tr class="odd">
<td><p>FILESTORE</p></td>
<td><p>Includes File System permissions</p></td>
</tr>
<tr class="even">
<td><p>SERVICES</p></td>
<td><p>Includes System Service settings</p></td>
</tr>
</tbody>
</table>
  • /log FileName
    Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.
  • /quiet
    Specifies that the configuration process should take place without prompting the user.

Examples

Following is an example of how you can use this command:

secedit /export /db hisecws.inf /log hisecws.log

secedit /import

Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.

Syntax

secedit /import /db FileName .sdb /cfg FileName.inf [/overwrite] [/areasArea1 Area2 ...] [/logFileName] [/quiet]

Parameters

  • /db FileName .sdb
    Specifies the database that the security template settings will be imported into.
  • /CFG FileName
    Specifies a security template to import into the database. Security templates are created using the Security Templates snap-in.
  • /overwrite FileName
    Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.
  • /areas Area1 Area2 ...
    Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space.
<table>
<colgroup>
<col style="width: 50%" />
<col style="width: 50%" />
</colgroup>
<thead>
<tr class="header">
<th>Area name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>SECURITYPOLICY</p></td>
<td><p>Includes account policies, audit policies, event log settings, and and security options.</p></td>
</tr>
<tr class="even">
<td><p>GROUP_MGMT</p></td>
<td><p>Includes Restricted Group settings</p></td>
</tr>
<tr class="odd">
<td><p>USER_RIGHTS</p></td>
<td><p>Includes User Rights Assignment</p></td>
</tr>
<tr class="even">
<td><p>REGKEYS</p></td>
<td><p>Includes Registry Permissions</p></td>
</tr>
<tr class="odd">
<td><p>FILESTORE</p></td>
<td><p>Includes File System permissions</p></td>
</tr>
<tr class="even">
<td><p>SERVICES</p></td>
<td><p>Includes System Service settings</p></td>
</tr>
</tbody>
</table>
  • /log FileName
    Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.
  • /quiet
    Specifies that the configuration process should take place without prompting the user.

Examples

Following is an example of how you can use this command:

secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite

secedit /validate

Validates the syntax of a security template to be imported into a database for analysis or application to a system.

Syntax

secedit /validate FileName

Parameters

  • FileName
    Specifies the file name of the security template you have created with Security Templates.

Examples

Following is an example of how you can use this command:

secedit /validate /cfg filename

secedit /GenerateRollback

Allows you to generate a rollback template with respect to a configuration template. When applying a configuration template to a computer you have the option of creating rollback template which, when applied, resets the security settings to the values before the configuration template was applied.

Syntax

secedit /GenerateRollback /CFG FileName.inf /RBK SecurityTemplatefilename.inf [/logRollbackFileName.inf] [/quiet]

Parameters

  • /CFG FileName
    Specifies the file name of the security template for which you want to create a rollback template of.
  • /RBK FileName
    Specifies the file name of the security template that will be created as the rollback template.

Remarks

  • secedit /refreshpolicy has been replaced with gpupdate. For information on how to refresh security settings, see Related Topics.

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Other Resources

Command-line reference A-Z
Command shell overview
Automating security configuration tasks
Gpupdate