Secedit
Configures and analyzes system security by comparing your current configuration to at least one template.
To view the command syntax, click a command:
secedit /analyze
Allows you to analyze the security settings on a computer by comparing them against the baseline settings in a database.
Syntax
secedit /analyze/dbFileName.sdb[/cfgFileName] [/overwrite] [/logFileName] [/quiet]
Parameters
- /db FileName.sdb
-
Specifies the database used to perform the analysis.
- /cfg FileName
-
Specifies a security template to import into the database prior to performing the analysis. Security templates are created using the Security Templates snap-in.
- /log FileName
-
Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file which is located in the %windir%\security\logs directory.
- /quiet
-
Specifies that the analysis process should take place without further comments.
Remarks
Examples
Following is an example of how you can use this command:
secedit /analyze /db hisecws.sdb
secedit /configure
Configures local computer security by applying the settings stored in a database.
Syntax
secedit/configure/db FileName[/cfg FileName ] [/overwrite][/areasArea1 Area2 ...] [/logFileName] [/quiet]
Parameters
- /db FileName
-
Specifies the database used to perform the security configuration.
- /cfg FileName
-
Specifies a security template to import into the database prior to configuring the computer. Security templates are created using the Security Templates snap-in.
- /overwrite
-
Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.
- /areas Area1 Area2 ...
-
Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:
|
Area name
|
Description
|
|---|
SECURITYPOLICY | Includes account policies, audit policies, event log settings, and security options. |
GROUP_MGMT | Includes Restricted Group settings |
USER_RIGHTS | Includes User Rights Assignment |
REGKEYS | Includes Registry Permissions |
FILESTORE | Includes File System permissions |
SERVICES | Includes System Service settings |
- /log FileName
-
Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file which is located in the %windir%\security\logs directory.
- /quiet
-
Specifies that the configuration process should take place without prompting the user.
Examples
Following are examples of how you can use this command:
secedit /configure /db hisecws.sdb /cfg
hisecws.inf /overwrite /log hisecws.log
secedit /export
Allows you to export the security settings stored in the database.
Syntax
secedit/export[/DBFileName] [/mergedpolicy] [/CFG FileName] [/areasArea1 Area2 ...] [/logFileName] [/quiet]
Parameters
- /db FileName
-
Specifies the database used to configure security.
- /mergedpolicy
-
Merges and exports domain and local policy security settings.
- /CFG FileName
-
Specifies the template the settings will be exported to.
- /areas Area1 Area2 ...
-
Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space.
|
Area name
|
Description
|
|---|
SECURITYPOLICY | Includes account policies, audit policies, event log settings, and security options. |
GROUP_MGMT | Includes Restricted Group settings |
USER_RIGHTS | Includes User Rights Assignment |
REGKEYS | Includes Registry Permissions |
FILESTORE | Includes File System permissions |
SERVICES | Includes System Service settings |
- /log FileName
-
Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.
- /quiet
-
Specifies that the configuration process should take place without prompting the user.
Examples
Following is an example of how you can use this command:
secedit /export /db hisecws.inf /log hisecws.log
secedit /import
Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.
Syntax
secedit/import/dbFileName.sdb/cfgFileName.inf [/overwrite] [/areasArea1 Area2 ...] [/logFileName] [/quiet]
Parameters
- /db FileName .sdb
-
Specifies the database that the security template settings will be imported into.
- /CFG FileName
-
Specifies a security template to import into the database. Security templates are created using the Security Templates snap-in.
- /overwrite FileName
-
Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.
- /areas Area1 Area2 ...
-
Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space.
|
Area name
|
Description
|
|---|
SECURITYPOLICY | Includes account policies, audit policies, event log settings, and and security options. |
GROUP_MGMT | Includes Restricted Group settings |
USER_RIGHTS | Includes User Rights Assignment |
REGKEYS | Includes Registry Permissions |
FILESTORE | Includes File System permissions |
SERVICES | Includes System Service settings |
- /log FileName
-
Specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.
- /quiet
-
Specifies that the configuration process should take place without prompting the user.
Examples
Following is an example of how you can use this command:
secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite
secedit /validate
Validates the syntax of a security template to be imported into a database for analysis or application to a system.
Syntax
secedit /validateFileName
Parameters
- FileName
-
Specifies the file name of the security template you have created with Security Templates.
Examples
Following is an example of how you can use this command:
secedit /validate /cfg filename
secedit /GenerateRollback
Allows you to generate a rollback template with respect to a configuration template. When applying a configuration template to a computer you have the option of creating rollback template which, when applied, resets the security settings to the values before the configuration template was applied.
Syntax
secedit /GenerateRollback/CFG FileName.inf /RBK SecurityTemplatefilename.inf [/logRollbackFileName.inf] [/quiet]
Parameters
- /CFG FileName
-
Specifies the file name of the security template for which you want to create a rollback template of.
- /RBK FileName
-
Specifies the file name of the security template that will be created as the rollback template.
Remarks
- secedit /refreshpolicy has been replaced with gpupdate. For information on how to refresh security settings, see Related Topics.
Formatting legend
|
Format
|
Meaning
|
|---|
Italic | Information that the user must supply |
Bold | Elements that the user must type exactly as shown |
Ellipsis (...) | Parameter that can be repeated several times in a command line |
Between brackets ([]) | Optional items |
Between braces ({}); choices separated by pipe (|). Example: {even|odd} | Set of choices from which the user must choose only one |
Courier font
| Code or program output |
See Also