To view the command syntax, click the following command:
secedit /analyze
secedit /configure
secedit /export
secedit /import
secedit /validate
secedit /GenerateRollback
secedit /analyze
Security settings on a computer can be analyzed by comparing them to the basic settings in the database.
grammar
secedit /analyze /db FileName .sdb[/cfgFileName] [/overwrite] [/logFileName] [/quiet]
parameter
/db
Specifies the database to use for analysis.
/cfg FileName
Specifies the security template to import into the database before performing analysis. Create a security template using the Security Template snap-in.
/log FileName
Specifies a file that records the status of the configuration process. If not specified, the configuration data is logged to a file in the %windir%\security\logs directory.
/quiet
The analysis process is specified without further annotation.
Comments
The results of the analysis can be viewed in Security Configuration and Analysis.
Example
Here is an example of how to use the command:
secedit /analyze /db
secedit /configure
Configure security settings for your local computer by applying settings stored in the database.
grammar
secedit /configure /db FileName[/cfg FileName ] [/overwrite][/areasArea1 Area2 ...] [/logFileName] [/quiet]
parameter
/db FileName
Specifies the database used for secure configuration.
/cfg FileName
Specifies the security template to import into the database before configuring the computer. Create a security template using the Security Template snap-in.
/overwrite
Specifies that the database should be cleared before importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there is a configuration conflict between the database and the currently imported template, the template configuration has priority.
/areas Area1 Area2 ...
Specifies the security area applied to the system. If no parameters are specified, all security settings defined in the database will be applied to the system. To configure multiple areas, separate each area with spaces. The following security zones are supported: Region Name Description SECURITYPOLICY includes account policies, audit policies, event log settings, and security options. GROUP_MGMT includes the configuration of restricted groups USER_RIGHTS includes user permissions allocation REGKEYS includes registry permissions FILESTORE includes file system permissions SERVICES includes system service settings
/log FileName
Specifies a file that records the status of the configuration process. If not specified, the configuration data is logged to a file in the %windir%\security\logs directory.
/quiet
Specify that the configuration process should be performed without prompting the user.
Example
Here is an example of how to use the command:
secedit /configure /db /cfg
/overwrite /log
secedit /export
Security settings stored in the database can be exported.
grammar
secedit /export[/DBFileName] [/mergedpolicy] [/CFG FileName] [/areasArea1 Area2 ...] [/logFileName] [/quiet]
parameter
/db FileName
Specifies the database used to configure security.
/mergedpolicy
Merge and export domain and local policy security.
/CFG FileName
Specifies the template to which settings are to be exported.
/areas Area1 Area2 ...
Specifies the secure area to be exported to the template. If no zone is specified, all zones will be exported. Each area should be separated by spaces. Area Name Description SECURITYPOLICY includes account policies, audit policies, event log settings, and security options. GROUP_MGMT includes the configuration of restricted groups USER_RIGHTS includes user permissions allocation REGKEYS includes registry permissions FILESTORE includes file system permissions SERVICES includes system service settings
/log FileName
Specifies the file that records the status of the export process. If the file is not specified, the default settings are logged to %windir%\security\logs\.
/quiet
Specify that the configuration process should be performed without prompting the user.
Example
Here is an example of how to use the command:
secedit /export /db /log
secedit /import
Security templates can be imported into the database so that the settings specified in the template can be applied to the system or as the basis for analyzing the system.
grammar
secedit /import /db FileName .sdb /cfg [/overwrite] [/areasArea1 Area2 ...] [/logFileName] [/quiet]
parameter
/db FileName .sdb
Specifies the database to which security template settings are to be imported.
/CFG FileName
Specifies the security template to import into the database. Create a security template using the Security Template snap-in.
/overwrite FileName
Specifies that the database should be cleared before importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there is a configuration conflict between the database and the currently imported template, the template configuration has priority.
/areas Area1 Area2 ...
Specifies the secure area to be exported to the template. If no zone is specified, all zones will be exported. Each area should be separated by spaces. Area Name Description SECURITYPOLICY contains account policies, audit policies, event log settings and security options. GROUP_MGMT includes the configuration of restricted groups USER_RIGHTS includes user permissions allocation REGKEYS includes registry permissions FILESTORE includes file system permissions SERVICES includes system service settings
/log FileName
Specifies the file that records the status of the export process. If the file is not specified, the default settings are logged to %windir%\security\logs\.
/quiet
Specify that the configuration process should be performed without prompting the user.
Example
Here is an example of how to use the command:
secedit /import /db /cfg /overwrite
secedit /validate
Verify the syntax of the security template to import into the analytics database or system application.
grammar
secedit /validate FileName
parameter
FileName
Specifies the name of the security template file created using the security template.
Example
Here is an example of how to use the command:
secedit /validate /cfg filename
secedit /GenerateRollback
A rollback template can be generated based on the configuration template. When applying a configuration template to your computer, you can choose to create a rollback template that resets the security settings to the value before applying the configuration template when applied.
grammar
secedit /GenerateRollback /CFG /RBK [/] [/quiet]
parameter
/CFG FileName
Specifies the file name for the security template for which you want to create the rollback template.
/RBK FileName
Specifies the file name of the security template that will be created as a rollback template.
Comments
secedit /refreshpolicy has been replaced by gpupdate. For information on how to update security settings, see "Related Topics".
Format legend
Format Meaning
Italic
Information that users must provide
Bold
Elements that the user must type exactly as accurately as the one displayed
Ellipsis (...)
Parameters that can be repeated multiple times in the command line
Between square brackets ([])
Optional items
Between braces ({}); separate options with pipelines (|). Example: {even|odd}
The user must select only one option from this option
Courier font
Code or program output
Copy the codeThe code is as follows:
secedit /analyze
secedit /configure
secedit /export
secedit /import
secedit /validate
secedit /GenerateRollback
secedit /analyze
Security settings on a computer can be analyzed by comparing them to the basic settings in the database.
grammar
secedit /analyze /db FileName .sdb[/cfgFileName] [/overwrite] [/logFileName] [/quiet]
parameter
/db
Specifies the database to use for analysis.
/cfg FileName
Specifies the security template to import into the database before performing analysis. Create a security template using the Security Template snap-in.
/log FileName
Specifies a file that records the status of the configuration process. If not specified, the configuration data is logged to a file in the %windir%\security\logs directory.
/quiet
The analysis process is specified without further annotation.
Comments
The results of the analysis can be viewed in Security Configuration and Analysis.
Example
Here is an example of how to use the command:
secedit /analyze /db
secedit /configure
Configure security settings for your local computer by applying settings stored in the database.
grammar
secedit /configure /db FileName[/cfg FileName ] [/overwrite][/areasArea1 Area2 ...] [/logFileName] [/quiet]
parameter
/db FileName
Specifies the database used for secure configuration.
/cfg FileName
Specifies the security template to import into the database before configuring the computer. Create a security template using the Security Template snap-in.
/overwrite
Specifies that the database should be cleared before importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there is a configuration conflict between the database and the currently imported template, the template configuration has priority.
/areas Area1 Area2 ...
Specifies the security area applied to the system. If no parameters are specified, all security settings defined in the database will be applied to the system. To configure multiple areas, separate each area with spaces. The following security zones are supported: Region Name Description SECURITYPOLICY includes account policies, audit policies, event log settings, and security options. GROUP_MGMT includes the configuration of restricted groups USER_RIGHTS includes user permissions allocation REGKEYS includes registry permissions FILESTORE includes file system permissions SERVICES includes system service settings
/log FileName
Specifies a file that records the status of the configuration process. If not specified, the configuration data is logged to a file in the %windir%\security\logs directory.
/quiet
Specify that the configuration process should be performed without prompting the user.
Example
Here is an example of how to use the command:
secedit /configure /db /cfg
/overwrite /log
secedit /export
Security settings stored in the database can be exported.
grammar
secedit /export[/DBFileName] [/mergedpolicy] [/CFG FileName] [/areasArea1 Area2 ...] [/logFileName] [/quiet]
parameter
/db FileName
Specifies the database used to configure security.
/mergedpolicy
Merge and export domain and local policy security.
/CFG FileName
Specifies the template to which settings are to be exported.
/areas Area1 Area2 ...
Specifies the secure area to be exported to the template. If no zone is specified, all zones will be exported. Each area should be separated by spaces. Area Name Description SECURITYPOLICY includes account policies, audit policies, event log settings, and security options. GROUP_MGMT includes the configuration of restricted groups USER_RIGHTS includes user permissions allocation REGKEYS includes registry permissions FILESTORE includes file system permissions SERVICES includes system service settings
/log FileName
Specifies the file that records the status of the export process. If the file is not specified, the default settings are logged to %windir%\security\logs\.
/quiet
Specify that the configuration process should be performed without prompting the user.
Example
Here is an example of how to use the command:
secedit /export /db /log
secedit /import
Security templates can be imported into the database so that the settings specified in the template can be applied to the system or as the basis for analyzing the system.
grammar
secedit /import /db FileName .sdb /cfg [/overwrite] [/areasArea1 Area2 ...] [/logFileName] [/quiet]
parameter
/db FileName .sdb
Specifies the database to which security template settings are to be imported.
/CFG FileName
Specifies the security template to import into the database. Create a security template using the Security Template snap-in.
/overwrite FileName
Specifies that the database should be cleared before importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there is a configuration conflict between the database and the currently imported template, the template configuration has priority.
/areas Area1 Area2 ...
Specifies the secure area to be exported to the template. If no zone is specified, all zones will be exported. Each area should be separated by spaces. Area Name Description SECURITYPOLICY contains account policies, audit policies, event log settings and security options. GROUP_MGMT includes the configuration of restricted groups USER_RIGHTS includes user permissions allocation REGKEYS includes registry permissions FILESTORE includes file system permissions SERVICES includes system service settings
/log FileName
Specifies the file that records the status of the export process. If the file is not specified, the default settings are logged to %windir%\security\logs\.
/quiet
Specify that the configuration process should be performed without prompting the user.
Example
Here is an example of how to use the command:
secedit /import /db /cfg /overwrite
secedit /validate
Verify the syntax of the security template to import into the analytics database or system application.
grammar
secedit /validate FileName
parameter
FileName
Specifies the name of the security template file created using the security template.
Example
Here is an example of how to use the command:
secedit /validate /cfg filename
secedit /GenerateRollback
A rollback template can be generated based on the configuration template. When applying a configuration template to your computer, you can choose to create a rollback template that resets the security settings to the value before applying the configuration template when applied.
grammar
secedit /GenerateRollback /CFG /RBK [/] [/quiet]
parameter
/CFG FileName
Specifies the file name for the security template for which you want to create the rollback template.
/RBK FileName
Specifies the file name of the security template that will be created as a rollback template.
Comments
secedit /refreshpolicy has been replaced by gpupdate. For information on how to update security settings, see "Related Topics".
Format legend
Format Meaning
Italic
Information that users must provide
Bold
Elements that the user must type exactly as accurately as the one displayed
Ellipsis (...)
Parameters that can be repeated multiple times in the command line
Between square brackets ([])
Optional items
Between braces ({}); separate options with pipelines (|). Example: {even|odd}
The user must select only one option from this option
Courier font
Code or program output