Share via


Secedit

 

Applies To: Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2000, Windows Server 2012, Windows 8

Configures and analyzes system security by comparing your current configuration to specified security templates.

Syntax

secedit 
[/analyze /db <database file name> /cfg <configuration file name> [/overwrite] /log <log file name> [/quiet]]
[/configure /db <database file name> [/cfg <configuration filename>] [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/export /db <database file name> [/mergedpolicy] /cfg <configuration file name> [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>]]
[/generaterollback /db <database file name> /cfg <configuration file name> /rbk <rollback file name> [/log <log file name>] [/quiet]]
[/import /db <database file name> /cfg <configuration file name> [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/validate <configuration file name>]

Parameters

Parameter

Description

Secedit:analyze

Allows you to analyze current systems settings against baseline settings that are stored in a database. The analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in.

Secedit:configure

Allows you to configure a system with security settings stored in a database.

Secedit:export

Allows you to export security settings stored in a database.

Secedit:generaterollback

Allows you to generate a rollback template with respect to a configuration template.

Secedit:import

Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.

Secedit:validate

Allows you to validate the syntax of a security template.

Remarks

For all filenames, the current directory is used if no path is specified.

When a security template is created using the Security Template snap-in and the Security Configuration and Analysis snap-in is run, the following files are created:

File

Description

Scesrv.log

Location: %windir%\security\logs

Created by: operating system

File type: text

Refresh rate: Overwritten when secedit /analyze, /configure, /export or /import are run.

Content: Contains the results of the analysis grouped by policy type.

User-selected name.sdb

Location: %windir%\user account\Documents\Security\Database

Created by: running the Security Configuration and Analysis snap-in

File type: proprietary

Refresh rate: Updated whenever a new security template is created.

Content: Local security policies and user-created security templates.

User-selected name.log

Location: User-defined but defaults to %windir%\user account\Documents\Security\Logs

Created by: Running the /analyze and /configure subcommands (or using the Security Configuration and Analysis snap-in)

File type: text

Refresh rate: Running the /analyze and /configure subcommands (or using the Security Configuration and Analysis snap-in); overwritten.

Content:

  1. Log file name

  2. Date and time

  3. Results of analysis or investigation.

User-selected name.inf

Location: %windir%\user account\Documents\Security\Templates

Created by: running the Security Template snap-in

File type: text

Refresh rate: each time the security template is updated

Content: Contains the set up information for the template for each policy selected using the snap-in.

Note

The Microsoft Management Console (MMC) and the Security Configuration and Analysis snap-in are not available on Server Core.

Additional references

For examples of how this command can be used, see the examples section in any of the subcommand files.