secedit

Configures and analyzes system security by comparing your current configuration to specified security templates.

Syntax

secedit
[/analyze /db <database file name> /cfg <configuration file name> [/overwrite] /log <log file name> [/quiet]]
[/configure /db <database file name> [/cfg <configuration filename>] [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/export /db <database file name> [/mergedpolicy] /cfg <configuration file name> [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>]]
[/generaterollback /db <database file name> /cfg <configuration file name> /rbk <rollback file name> [/log <log file name>] [/quiet]]
[/import /db <database file name> /cfg <configuration file name> [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/validate <configuration file name>]

Parameters

Parameter Description
Secedit:analyze Allows you to analyze current systems settings against baseline settings that are stored in a database. The analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in.
Secedit:configure Allows you to configure a system with security settings stored in a database.
Secedit:export Allows you to export security settings stored in a database.
Secedit:generaterollback Allows you to generate a rollback template with respect to a configuration template.
Secedit:import Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.
Secedit:validate Allows you to validate the syntax of a security template.

Remarks

For all filenames, the current directory is used if no path is specified.

When a security template is created using the Security Template snap-in and the Security Configuration and Analysis snap-in is run, the following files are created:

File Description
Scesrv.log Location: %windir%\security\logs
Created by: operating system
File type: text
Refresh rate: Overwritten when secedit /analyze, /configure, /export or /import are run.
Content: Contains the results of the analysis grouped by policy type.
User-selected name.sdb Location: %windir%*user account\Documents\Security\Database
Created by: running the Security Configuration and Analysis snap-in
File type: proprietary
Refresh rate: Updated whenever a new security template is created.
Content*: Local security policies and user-created security templates.
User-selected name.log Location: User-defined but defaults to %windir%*user account\Documents\Security\Logs
Created by: Running the /analyze and /configure subcommands (or using the Security Configuration and Analysis snap-in)
File type: text
Refresh rate: Running the /analyze and /configure subcommands (or using the Security Configuration and Analysis snap-in); overwritten.
Content*:
1. Log file name
2. Date and time
3. Results of analysis or investigation.
User-selected name.inf Location: %windir%*user account\Documents\Security\Templates
Created by: running the Security Template snap-in
File type: text
Refresh rate: each time the security template is updated
Content*: Contains the set up information for the template for each policy selected using the snap-in.

Note

The Microsoft Management Console (MMC) and the Security Configuration and Analysis snap-in are not available on Server Core.

Additional References

For examples of how this command can be used, see the examples section in any of the subcommand files.