Secedit

Applies To: Windows 7, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP

Configures and analyzes system security by comparing your current configuration to specified security templates.

Syntax

secedit 
[/analyze /db <database file name> /cfg <configuration file name> [/overwrite] /log <log file name> [/quiet]]
[/configure /db <database file name> [/cfg <configuration filename>] [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/export /db <database file name> [/mergedpolicy] /cfg <configuration file name> [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>]]
[/generaterollback /db <database file name> /cfg <configuration file name> /rbk <rollback file name> [/log <log file name>] [/quiet]]
[/import /db <database file name> /cfg <configuration file name> [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/validate <configuration file name>]

Parameters

Parameter Description

Secedit:analyze

Allows you to analyze current systems settings against baseline settings that are stored in a database. The analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in.

Secedit:configure

Allows you to configure a system with security settings stored in a database.

Secedit:export

Allows you to export security settings stored in a database.

Secedit:generaterollback

Allows you to generate a rollback template with respect to a configuration template.

Secedit:import

Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.

Secedit:validate

Allows you to validate the syntax of a security template.

Remarks

For all filenames, the current directory is used if no path is specified.

When a security template is created using the Security Template snap-in and the Security Configuration and Analysis snap-in is run, the following files are created:

File Description

Scesrv.log

Location: %windir%\security\logs

Created by: operating system

File type: text

Refresh rate: Overwritten when secedit /analyze, /configure, /export or /import are run.

Content: Contains the results of the analysis grouped by policy type.

User-selected name.sdb

Location: %windir%\user account\Documents\Security\Database

Created by: running the Security Configuration and Analysis snap-in

File type: proprietary

Refresh rate: Updated whenever a new security template is created.

Content: Local security policies and user-created security templates.

User-selected name.log

Location: User-defined but defaults to %windir%\user account\Documents\Security\Logs

Created by: Running the /analyze and /configure subcommands (or using the Security Configuration and Analysis snap-in)

File type: text

Refresh rate: Running the /analyze and /configure subcommands (or using the Security Configuration and Analysis snap-in); overwritten.

Content:

  1. Log file name

  2. Date and time

  3. Results of analysis or investigation.

User-selected name.inf

Location: %windir%\user account\Documents\Security\Templates

Created by: running the Security Template snap-in

File type: text

Refresh rate: each time the security template is updated

Content: Contains the set up information for the template for each policy selected using the snap-in.

Note

The Microsoft Management Console (MMC) and the Security Configuration and Analysis snap-in are not available on Server Core.

Additional references

For examples of how this command can be used, see the examples section in any of the subcommand files.