How to Use secedit.exe Local Security Policy command

To view the command syntax, click the following command: Copy codeThe Code is as follows: secedit/analyze
Secedit/configure
Secedit/export
Secedit/import
Secedit/validate
Secedit/GenerateRollback
Secedit/analyze

You can analyze the security settings on a computer by comparing it with the basic settings in the database.
Syntax
Secedit/analyze/db FileName. sdb [/paifilename] [/overwrite] [/logFileName] [/quiet]
Parameters
/Db FileName. sdb
Specifies the database used for analysis.
/Cfg FileName
Specifies the security template to be imported to the database before analysis. Use the security template Management Unit to create a security template.
/Log FileName
Specifies the file that records the configuration process status. If not specified, the configuration data is recorded in the scesrv. log file under the % windir % \ security \ logs directory.
/Quiet
The analysis process is not commented out.
Note
You can view the analysis results in Security Configuration and analysis.

Example
The following is an example of how to use this command:
Secedit/analyze/db hisecws. sdb

Secedit/configure
Configure the security settings of the local computer by setting the application stored in the database.
Syntax
Secedit/configure/db FileName [/cfg FileName] [/overwrite] [/areasArea1 Area2...] [/logFileName] [/quiet]
Parameters
/Db FileName
Specifies the database used for security configuration.
/Cfg FileName
Specifies the security template to be imported to the database before configuring the computer. Use the security template Management Unit to create a security template.
/Overwrite
Specifies that the database should be cleared before the security template is imported. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there is a configuration conflict between the database and the currently imported template, the template configuration has priority.
/Areas Area1 Area2...
Specifies the security zone of the application to the system. If no parameter is specified, all security settings defined in the database will be applied to the system. To configure multiple regions, use spaces to separate each region. The following security regions are supported: Region Name Description SECURITYPOLICY includes account policies, audit policies, Event Log Settings, and security options. GROUP_MGMT includes the configuration of the Restricted Group USER_RIGHTS, including user permission allocation of REGKEYS, including registry permission FILESTORE, file system permission, SERVICES, and system service settings
/Log FileName
Specifies the file that records the configuration process status. If not specified, the configuration data is recorded in the scesrv. log file under the % windir % \ security \ logs directory.
/Quiet
Specify that the configuration process should be performed without prompting the user.
Example
The following is an example of how to use this command:
Secedit/configure/db hisecws. sdb/cfg
Hisecws. inf/overwrite/log hisecws. log

Secedit/export
You can export security settings stored in the database.
Syntax
Secedit/export [/DBFileName] [/mergedpolicy] [/CFG FileName] [/areasArea1 Area2...] [/logFileName] [/quiet]
Parameters
/Db FileName
Specifies the database used to configure security.
/Mergedpolicy
Merge and export domain and local policy security.
/CFG FileName
Specifies the template to export the settings.
/Areas Area1 Area2...
Specifies the security zone to be exported to the template. If no region is specified, all regions will be exported. Each region should be separated by spaces. The region Name Description SECURITYPOLICY includes the Account Policy, Audit Policy, Event Log Settings, and security options. GROUP_MGMT includes the configuration of the Restricted Group USER_RIGHTS, including user permission allocation of REGKEYS, including registry permission FILESTORE, file system permission, SERVICES, and system service settings
/Log FileName
Specifies the file that records the export process status. If this file is not specified, the % windir % \ security \ logs \ scesrv. log is recorded by default.
/Quiet
Specify that the configuration process should be performed without prompting the user.
Example
The following is an example of how to use this command:
Secedit/export/db hisecws. inf/log hisecws. log

Secedit/import
You can import a security template to a database so that the settings specified in the template can be applied to the system or used as the basis for analyzing the system.
Syntax
Secedit/import/db FileName. sdb/cfg FileName. inf [/overwrite] [/areasArea1 Area2...] [/logFileName] [/quiet]
Parameters
/Db FileName. sdb
Specifies the database to which the security template settings are imported.
/CFG FileName
Specifies the security template to be imported to the database. Use the security template Management Unit to create a security template.
/Overwrite FileName
Specifies that the database should be cleared before the security template is imported. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there is a configuration conflict between the database and the currently imported template, the template configuration has priority.
/Areas Area1 Area2...
Specifies the security zone to be exported to the template. If no region is specified, all regions will be exported. Each region should be separated by spaces. The region Name Description SECURITYPOLICY includes the Account Policy, Audit Policy, Event Log Settings, and security options. GROUP_MGMT includes the configuration of the Restricted Group USER_RIGHTS, including user permission allocation of REGKEYS, including registry permission FILESTORE, file system permission, SERVICES, and system service settings
/Log FileName
Specifies the file that records the export process status. If this file is not specified, the % windir % \ security \ logs \ scesrv. log is recorded by default.
/Quiet
Specify that the configuration process should be performed without prompting the user.
Example
The following is an example of how to use this command:
Secedit/import/db hisecws. sdb/cfg hisecws. inf/overwrite

Secedit/validate
Verify the syntax of the security template to be imported to the analytic database or system application.
Syntax
Secedit/validate FileName
Parameters
FileName
Name of the security template file created using the security template.
Example
The following is an example of how to use this command:
Secedit/validate/cfg filename

Secedit/GenerateRollback
You can generate a rollback template based on the configuration template. When you apply a configuration template to a computer, you can choose to create a rollback template, which resets the security settings to the values before the application configuration template.
Syntax
Secedit/GenerateRollback/CFG FileName. inf/RBK SecurityTemplatefilename. inf [/logRollbackFileName. inf] [/quiet]
Parameters
/CFG FileName
Name of the security template for which you want to create a rollback template.
/RBK FileName
Name of the security template to be created as a rollback template.
Note
Secedit/refreshpolicy has been replaced by gpupdate. For more information about how to update security settings, see related topics ".

Format legend
Meaning
Italics
REQUIRED INFORMATION
Bold
Elements that must be exactly typed as displayed
Ellipsis (...)
Parameters that can be repeated multiple times in the command line
Between square brackets ([])
Optional items
Between braces ({}); Separate options with pipelines (|. Example: {even | odd}
You must select only one option set.
Courier font
Code or program output