Checklist: Use secedit to configure workgroup security

  Configuring workgroup security on individual computers is a time-consuming task even using a single tool to do so, as described in my previous checklist

Requires Free Membership to View

. If you've tried it, you realize there has to be a better way. There is. The secedit command allows you to apply a security template to a computer at the command line, or you can use it in a script or batch file to apply settings each time the computer is booted. If you are networked, you could also use it to apply settings remotely, though I caution you about making it too easy to remotely administer your computers over the network.

You may download a printer-friendly version.

                 Checklist: Use secedit for workgroup security                  
              Step 1: Prepare a security template                  
              To prepare a security template, use the instructions in my previous checklist.                  
              Step 2: Make a copy                  
              Copy the template you just created to the computer you wish to configure.                  
              Step 3: Study the syntax of the secedit command                  
              The secedit command can be used to perform the same tasks as the Security Configuration and Analysis tool -- and then some. It allows you to configure or analyze                  
              security on a computer. In Windows XP and Windows Server 2003, it can also be used to create a rollback template (to reverse settings in the template you just applied). To use                  
              the command, you need the name and location of the security template, the name and location of the database (use the command to create one) and the correct syntax of the command.                  
              For instance, to configure a computer using a security template, you would need:
Secedit/configure/dbfilenamedb /cfg filenamest/overwrite
              The filenamedb is the security database name to be used. The filenamest is the security template name. If the database and template do not exist in the folder you open when you                  
              issue the command, you must enter the complete path of the file. Use the overwrite parameter to instruct that the database be emptied before loading the security template.                  
              (If you do not specify this, any security settings already in the database may be combined with those in the security template.) A log file is created and placed in the scesrv.log file                  
              located in the <systemroot>\security\Logs folder by default. You can also use the \log parameter and enter your own name for a log file to be created. Use the /quiet parameter                  
              to prevent any data from appearing on the screen during the application.                  
              Step 4: Use the secedit command to apply the template                  
              This command allows you to apply mytemplate.inf using database mydatabase.sdb:
Secedit /configure /db mydatabase.sdb cfg/ mytemplate.inf /overwrite /quiet
              Step 5: Optionally, use a script to apply the command                  
              Use the previous command in a script if you're comfortable doing so. If you are not a scripting wizard, a sample script is available at Microsoft's TechNet resource.                  
              Scroll down to the section on configuring security for workgroup/standalone computers.                  


More checklists from Roberta Bragg

This was first published in April 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.