secedit commands

Configures and analyzes system security by comparing your current security configuration against specified security templates.

Note

The Microsoft Management Console (MMC) and the Security Configuration and Analysis snap-in are not available on Server Core.

Syntax

secedit /analyze
secedit /configure
secedit /export
secedit /generaterollback
secedit /import
secedit /validate

Parameters

Parameter Description
secedit /analyze Allows you to analyze current systems settings against baseline settings that are stored in a database. The analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in.
secedit /configure Allows you to configure a system with security settings stored in a database.
secedit /export Allows you to export security settings stored in a database.
secedit /generaterollback Allows you to generate a rollback template with respect to a configuration template.
secedit /import Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.
secedit /validate Allows you to validate the syntax of a security template.

Remarks

  • If there is no filepath specified, all filenames will default to the current directory.

  • Your analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in to the MMC.

  • If your security templates are created by using the Security Template snap-in, and if you run the Security Configuration and Analysis snap-in against those templates, the following files are created:

    File Description
    scesrv.log
    • Location: %windir%\security\logs
    • Created by: Operating system
    • File type: Text
    • Refresh rate: Overwritten when secedit analyze, secedit configure, secedit export or secedit import is run.
    • Content: Contains the results of the analysis grouped by policy type.
    user-selected name.sdb
    • Location: %windir%\<user account>\Documents\Security\Database
    • Created by: Running the Security Configuration and Analysis snap-in
    • File type: Proprietary
    • Refresh rate: Updated whenever a new security template is created.
    • Content: Local security policies and user-created security templates.
    user-selected name.log
    • Location: User-defined, but defaults to %windir%\<user account>\Documents\Security\Logs
    • Created by: Running the secedit analyze or secedit configure commands, or by using the Security Configuration and Analysis snap-in.
    • File type: Text
    • Refresh rate: Overwritten when secedit analyze or secedit configure is run, or by using the Security Configuration and Analysis snap-in.
    • Content: Log file name, date and time, and the results of the analysis or investigation.
    user-selected name.inf
    • Location: %windir%\*<user account>\Documents\Security\Templates
    • Created by: Running the Security Template snap-in.
    • File type: Text
    • Refresh rate: Overwritten each time the security template is updated.
    • Content: Contains the set up information for the template for each policy selected using the snap-in.