To view the command syntax, click the following command:
Copy Code code as follows:
Secedit/analyze
Secedit/configure
Secedit/export
Secedit/import
Secedit/validate
Secedit/generaterollback
Secedit/analyze
You can analyze the security settings on a computer by comparing it to the basic settings in the database.
Grammar
secedit/analyze/db FileName. Sdb[/cfgfilename] [/overwrite] [/logfilename] [/quiet]
Parameters
/db Filename.sdb
Specifies the database to use for profiling.
/cfg FileName
Specifies the security template to import into the database before profiling. Use the security Templates snap-in to create a security template.
/log FileName
Specifies a file that records the status of the configuration process. If not specified, the configuration data is logged to the Scesrv.log file in the%windir%\security\logs directory.
/quiet
Specifies that the parsing process does not comment further.
Comments
The results of the analysis can be viewed in Security configuration and analysis.
sample
Here's an example of how to use this command:
secedit/analyze/db Hisecws.sdb
Secedit/configure
Configure the local computer's security settings by applying the settings stored in the database.
Grammar
secedit/configure/db filename[/cfg FileName] [/overwrite][/areasarea1 Area2 ...] [/logfilename] [/quiet]
Parameters
/db FileName
Specifies the database that is used for security configuration.
/cfg FileName
Specifies the security templates to import into the database before you configure the computer. Use the security Templates snap-in to create a security template.
/overwrite
Specifies that the database should be emptied before the security template is imported. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there is a configuration conflict between the database and the currently imported template, the template configuration has precedence.
/areas Area1 Area2 ...
Specifies the security zone to apply to the system. If no parameters are specified, all security settings defined in the database are applied to the system. To configure multiple zones, use a space to separate each area. The following security zones are supported: Zone Name Description securitypolicy includes account policy, Audit policy, event log settings, and security options. GROUP_MGMT includes the configuration of restricted Groups User_rights includes user rights Assignment Regkeys including registry permissions Filestore including file system permissions services including system service settings
/log FileName
Specifies a file that records the status of the configuration process. If not specified, the configuration data is logged to the Scesrv.log file in the%windir%\security\logs directory.
/quiet
Specifies that the configuration process should be performed without prompting the user.
Example
The following is an example of how to use this command:
secedit/configure/db hisecws.sdb/cfg
Hisecws.inf/overwrite/log Hisecws.log
Secedit/export
The security settings stored in the database can be exported.
Grammar
Secedit/export[/dbfilename] [/mergedpolicy] [/cfg FileName] [/areasarea1 Area2 ...] [/logfilename] [/quiet]
Parameters
/db FileName
Specifies the database used to configure security.
/mergedpolicy
Merges and exports domain and local policy security.
/cfg FileName
Specifies the template to export the settings to.
/areas Area1 Area2 ...
Specifies the security zone that will be exported to the template. If no range is specified, all areas will be exported. Each zone should be separated by a space. The Zone name Description securitypolicy includes account policy, Audit policy, event log settings, and security options. GROUP_MGMT includes the configuration of restricted Groups User_rights includes user rights Assignment Regkeys including registry permissions Filestore including file system permissions services including system service settings
/log FileName
Specifies a file that records the status of the exported process. If you do not specify the file, the default setting is recorded to%windir%\security\logs\scesrv.log.
/quiet
Specifies that the configuration process should be performed without prompting the user.
Example
Here's an example of how to use this command:
secedit/export/db Hisecws.inf/log Hisecws.log
Secedit/import
You can import a security template to a database so that the settings specified in the template can be applied to the system or as a basis for the analysis system.
Grammar
secedit/import/db FileName. sdb/cfg filename.inf [/overwrite] [/areasarea1 Area2 ...] [/logfilename] [/quiet]
Parameters
/db FileName. SDB
Specifies the database to which you want to import security template settings.
/cfg FileName
Specifies the security template to import into the database. Use the security Templates snap-in to create a security template.
/overwrite FileName
Specifies that the database should be emptied before the security template is imported. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there is a configuration conflict between the database and the currently imported template, the template configuration has precedence.
/areas Area1 Area2 ...
Specifies the security zone that will be exported to the template. If no range is specified, all areas will be exported. Each zone should be separated by a space. The Zone name Description securitypolicy contains account policies, audit policies, event log settings, and security options. GROUP_MGMT includes the configuration of restricted Groups User_rights includes user rights Assignment Regkeys including registry permissions Filestore including file system permissions services including system service settings
/log FileName
Specifies a file that records the status of the exported process. If you do not specify the file, the default setting is recorded to%windir%\security\logs\scesrv.log.
/quiet
Specifies that the configuration process should be performed without prompting the user.
Example
Here's an example of how to use this command:
secedit/import/db hisecws.sdb/cfg Hisecws.inf/overwrite
Secedit/validate
Verify the syntax of the security template you want to import into the profiling database or system application.
Grammar
Secedit/validate FileName
Parameters
FileName
Specifies the security template file name created using the security template.
Example
Here's an example of how to use this command:
secedit/validate/cfg filename
Secedit/generaterollback
You can generate a rollback template based on the configuration template. When you apply a configuration template to a computer, you have the option of creating a rollback template that, when applied, resets the security settings to the value before the configuration template was applied.
Grammar
Secedit/generaterollback/cfg FILENAME.INF/RBK Securitytemplatefilename.inf [/logrollbackfilename.inf] [/quiet]
Parameters
/cfg FileName
Specifies the file name of the security template for which you want to create a rollback template.
/RBK FileName
Specifies the file name of the security template that will be created as a rollback template.
Comments
Secedit/refreshpolicy has been replaced by GPUpdate. For information about how to update your security settings, see Related Topics.
Format legend
Format meaning
Italic body
Information that the user must provide
Bold body
The elements that the user must type exactly as they appear
Ellipsis (...)
Parameters that can be repeated multiple times on the command line
between square brackets ([])
Optional items
Between braces ({}); The options are separated by pipelines (|). Example: {even|odd}
Option set from which the user must select only one option
Courier Font
Code or program output
