| Admin Tip #75: secedit |
Hits: Failed to execute CGI : Win32 Error Code = 3
|
|
|
Windows 2000 and Windows XP comes with a commandline utility,
Secedit
Configures and analyzes system security by comparing your current configuration to at least one template.
secedit /analyze /db FileName [/cfg FileName] [/log FileName] [/quiet]
Parameters
- /db FileName
- Required. Specifies the path and file name of a database that contains the stored configuration against which the analysis will be performed. If FileName specifies a new database, the /cfg FileName command-line option must also be specified.
- /cfg FileName
- Specifies the path and file name for the security template that will be imported into the database for analysis. This command-line option is only valid when used with the /db parameter. If this is not specified, the analysis is performed against any configuration already stored in the database.
- /log FileName
- Specifies the path and file name of the log file for the process. If this is not provided, the default log file is used.
- /quiet
- Suppresses screen and log output. You can still view analysis results by using Security Configuration and Analysis.
secedit /configure /db FileName [/cfg FileName ] [/overwrite][/areas area1 area2...] [/log FileName] [/quiet]
Parameters
- /db FileName
- Required. Provides the file name of a database that contains the security template that should be applied.
- /cfg FileName
- Specifies the file name of the security template that will be imported into the database and applied to the system. This command-line option is only valid when used with the /db parameter. If this is not specified, the template that is already stored in the database is applied.
- /overwrite
- Specifies whether the security template in the /cfg parameter should overwrite any template or composite template that is stored in the database instead of appending the results to the stored template. This command-line option is only valid when the /cfg parameter is also used. If this is not specified, the template in the /cfg parameter is appended to the stored template.
- /areas area1 area2...
-
Specifies the security areas to be applied to the system. If an area is not specified, all areas are applied to the system. Each area should be separated by a space.
| Area name |
Description |
| SECURITYPOLICY |
Local policy and domain policy for the system, including account policies, audit policies, and so on. |
| GROUP_MGMT |
Restricted group settings for any groups specified in the security template |
| USER_RIGHTS |
User logon rights and granting of privileges |
| REGKEYS |
Security on local registry keys |
| FILESTORE |
Security on local file storage |
| SERVICES |
Security for all defined services |
- /log FileName
- Specifies the file name of the log file for the process. If it is not specified, the default path is used.
- /quiet
- Suppresses screen and log output.
Exports a stored template from a security database to a security template file.
Syntax
secedit /export [/mergedpolicy] [/DB FileName] [/CFG FileName] [/areas area1 area2...] [/log FileName] [/quiet]
Parameters
- /mergedpolicy
- Merges and exports domain and local policy security settings.
- /db FileName
- Specifies the database file that contains the template that will be exported. If the name of a database file is not provided, the system policy database is used.
- /db FileName
- Specifies the file name where the template should be saved.
- /areas area1 area2...
-
Specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space.
| Area name |
Description |
| SECURITYPOLICY |
Specifies local policy and domain policy for the system, including account policies, audit policies, and so on. |
| GROUP_MGMT |
Specifies restricted group settings for any groups specified in the security template. |
| USER_RIGHTS |
Specifies user logon rights and granting of privileges |
| REGKEYS |
Specifies the security on local registry keys |
| FILESTORE |
Specifies the security on local file storage |
| SERVICES |
Specifies security for all defined services |
- /log FileName
- Specifies the file name of the log file for the process. If not specified, the default path is used.
- /quiet
- Suppresses screen and log output.
Validates the syntax of a security template to be imported into a database for analysis or application to a system.
Syntax
secedit /validate FileName
Parameter
- FileName
- Specifies the file name of the security template you have created with Security Templates.
secedit /refreshpolicy has been replaced with gpupdate.