secedit/configuresecedit /configure

允许使用数据库中存储的安全设置来配置当前系统设置。Allows you to configure the current system settings using security settings stored in a database.


secedit /configure /db <database file name> [/cfg <configuration file name>] [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]


参数Parameter 说明Description
/db/db 必需。Required. 指定包含存储配置的数据库的路径和文件名。Specifies the path and file name of the database containing the stored configuration. 如果文件名指定的数据库没有安全模板 (如关联的配置文件) 所表示,则 /cfg <configuration file name> 还必须指定选项。If the file name specifies a database that hasn't had a security template (as represented by the configuration file) associated with it, the /cfg <configuration file name> option must also be specified.
/cfg/cfg 指定将导入到数据库中进行分析的安全模板的路径和文件名。Specifies the path and file name for the security template that will be imported into the database for analysis. 仅当与参数一起使用时,此选项才有效 /db <database file name>This option is only valid when used with the /db <database file name> parameter. 如果未指定此参数,则将对已存储在数据库中的任何配置执行分析。If this parameter isn't also specified, the analysis is performed against any configuration already stored in the database.
/overwrite/overwrite 指定 /cfg 参数中的安全模板是否应覆盖存储在数据库中的任何模板或复合模板,而不是将结果追加到存储的模板。Specifies whether the security template in the /cfg parameter should overwrite any template or composite template that is stored in the database, instead of appending the results to the stored template. 仅当使用参数时,此选项才有效 /cfg <configuration file name>This option is only valid when the /cfg <configuration file name> parameter is also used. 如果还未指定此参数,则将 /cfg 参数中的模板追加到存储的模板。If this parameter isn't also specified, the template in the /cfg parameter is appended to the stored template.
/areas/areas 指定要应用于系统的安全区域。Specifies the security areas to be applied to the system. 如果未指定此参数,则会将数据库中定义的所有安全设置应用到系统。If this parameter is not specified, all security settings defined in the database are applied to the system. 若要配置多个区域,请用空格分隔每个区域。To configure multiple areas, separate each area by a space. 支持以下安全区域:The following security areas are supported:
  • ws-securitypolicy: 系统的本地策略和域策略,包括帐户策略、审核策略、安全选项等。securitypolicy: Local policy and domain policy for the system, including account policies, audit policies, security options, and so on.
  • group_mgmt: 在安全模板中指定的任何组的限制组设置。group_mgmt: Restricted group settings for any groups specified in the security template.
  • user_rights: 用户登录权限和授予权限。user_rights: User logon rights and granting of privileges.
  • regkeys: 本地注册表项的安全性。regkeys: Security on local registry keys.
  • % i 本地文件存储的安全性。filestore: Security on local file storage.
  • 服务: 所有已定义服务的安全性。services: Security for all defined services.
/log/log 指定要在进程中使用的日志文件的路径和文件名。Specifies the path and file name of the log file to be used in the process. 如果未指定文件位置,则使用默认的日志文件 <systemroot>\Documents and Settings\<UserAccount>\My Documents\Security\Logs\<databasename>.logIf you don't specify a file location, the default log file, <systemroot>\Documents and Settings\<UserAccount>\My Documents\Security\Logs\<databasename>.log is used.
/quiet/quiet 禁止显示屏幕和日志输出。Suppresses screen and log output. 你仍可以通过使用 "安全配置和分析" 管理单元 (MMC) 来查看分析结果。You can still view analysis results by using the Security Configuration and Analysis snap-in to the Microsoft Management Console (MMC).


若要对安全数据库 SecDbContoso的安全参数执行分析,然后将输出定向到文件 SecAnalysisContosoFY11,包括验证命令是否正确运行的提示,请键入:To perform the analysis for the security parameters on the security database, SecDbContoso.sdb, and then direct the output to the file SecAnalysisContosoFY11, including prompts to verify the command ran correctly, type:

secedit /analyze /db C:\Security\FY11\SecDbContoso.sdb /log C:\Security\FY11\SecAnalysisContosoFY11.log

若要在 SecContoso 文件中合并分析过程所需的更改,然后将输出定向到现有文件 SecAnalysisContosoFY11,而不进行提示,请键入:To incorporate changes required by the analysis process on the SecContoso.inf file, and then to direct the output to the existing file, SecAnalysisContosoFY11, without prompting, type:

secedit /configure /db C:\Security\FY11\SecDbContoso.sdb /cfg SecContoso.inf /overwrite /log C:\Security\FY11\SecAnalysisContosoFY11.xml /quiet

其他参考Additional References