Secedit
Configures and analyzes system security by comparing your current configuration to at least one template.
To view the command syntax, click a command:
secedit /analyze
Syntax
secedit /analyze /db FileName [/cfg FileName] [/log FileName] [/quiet]
Parameters
/db FileName : Required. Specifies the path and file name of a database that contains the stored configuration against which the analysis will be performed. If FileName specifies a new database, the /cfg FileName command-line option must also be specified.
/cfg FileName : Specifies the path and file name for the security template that will be imported into the database for analysis. This command-line option is only valid when used with the /db parameter. If this is not specified, the analysis is performed against any configuration already stored in the database.
/log FileName : Specifies the path and file name of the log file for the process. If this is not provided, the default log file is used.
/quiet : Suppresses screen and log output. You can still view analysis results by using Security Configuration and Analysis.
secedit /configure
Configures system security by applying a stored template.
Syntax
secedit /configure /db FileName [/cfg FileName ] [/overwrite][/areas area1 area2...] [/log FileName] [/quiet]
Parameters
/db FileName : Required. Provides the file name of a database that contains the security template that should be applied.
/cfg FileName : Specifies the file name of the security template that will be imported into the database and applied to the system. This command-line option is only valid when used with the /db parameter. If this is not specified, the template that is already stored in the database is applied.
/overwrite : Specifies whether the security template in the /cfg parameter should overwrite any template or composite template that is stored in the database instead of appending the results to the stored template. This command-line option is only valid when the /cfg parameter is also used. If this is not specified, the template in the /cfg parameter is appended to the stored template.
/areas area1 area2... : Specifies the security areas to be applied to the system. If an area is not specified, all areas are applied to the system. Each area should be separated by a space.
Area name |
Description |
|---|---|
SECURITYPOLICY |
Local policy and domain policy for the system, including account policies, audit policies, and so on. |
GROUP_MGMT |
Restricted group settings for any groups specified in the security template |
USER_RIGHTS |
User logon rights and granting of privileges |
REGKEYS |
Security on local registry keys |
FILESTORE |
Security on local file storage |
SERVICES |
Security for all defined services |
/log FileName : Specifies the file name of the log file for the process. If it is not specified, the default path is used.
/quiet : Suppresses screen and log output.
secedit /export
Exports a stored template from a security database to a security template file.
Syntax
secedit /export [/mergedpolicy] [/DB FileName] [/CFG FileName] [/areas area1 area2...] [/log FileName] [/quiet]
Parameters
/mergedpolicy : Merges and exports domain and local policy security settings.
/db FileName : Specifies the database file that contains the template that will be exported. If the name of a database file is not provided, the system policy database is used.
/db FileName : Specifies the file name where the template should be saved.
/areas area1 area2... : Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space.
Area name |
Description |
|---|---|
SECURITYPOLICY |
Specifies local policy and domain policy for the system, including account policies, audit policies, and so on. |
GROUP_MGMT |
Specifies restricted group settings for any groups specified in the security template. |
USER_RIGHTS |
Specifies user logon rights and granting of privileges |
REGKEYS |
Specifies the security on local registry keys |
FILESTORE |
Specifies the security on local file storage |
SERVICES |
Specifies security for all defined services |
/log FileName : Specifies the file name of the log file for the process. If not specified, the default path is used.
/quiet : Suppresses screen and log output.
secedit /validate
Validates the syntax of a security template to be imported into a database for analysis or application to a system.
Syntax
secedit /validate FileName
Parameter
FileName : Specifies the file name of the security template you have created with Security Templates.
Remarks
- secedit /refreshpolicy has been replaced with gpupdate. For information on how to refresh security settings, see gpupdate
Formatting legend
Format |
Meaning |
|---|---|
Italic |
Information that the user must supply |
Bold |
Elements that the user must type exactly as shown |
Ellipsis (...) |
Parameter that can be repeated several times in a command line |
Between brackets ([]) |
Optional items |
Between braces ({}); choices separated by pipe (|). Example: {even|odd} |
Set of choices from which the user must choose only one |
Courier font |
Code or program output |