Problem solve Get help with specific problems with your technologies, process and projects.

Checklist: Use secedit to configure workgroup security

Going computer to computer to configure workgroup security is a time-consuming task. Roberta Bragg offers a better way to get the job done: Use the secedit command.

  Configuring workgroup security on individual computers is a time-consuming task even using a single tool to do so, as described in my previous checklist. If you've tried it, you realize there has to be a better way. There is. The secedit command allows you to apply a security template to a computer at the command line, or you can use it in a script or batch file to apply settings each time the computer is booted. If you are networked, you could also use it to apply settings remotely, though I caution you about making it too easy to remotely administer your computers over the network.

You may download a printer-friendly version.

                 Checklist: Use secedit for workgroup security                  
              Step 1: Prepare a security template                  
              To prepare a security template, use the instructions in my previous checklist.                  
              Step 2: Make a copy                  
              Copy the template you just created to the computer you wish to configure.                  
              Step 3: Study the syntax of the secedit command                  
              The secedit command can be used to perform the same tasks as the Security Configuration and Analysis tool -- and then some. It allows you to configure or analyze                  
              security on a computer. In Windows XP and Windows Server 2003, it can also be used to create a rollback template (to reverse settings in the template you just applied). To use                  
              the command, you need the name and location of the security template, the name and location of the database (use the command to create one) and the correct syntax of the command.                  
              For instance, to configure a computer using a security template, you would need:
Secedit/configure/dbfilenamedb /cfg filenamest/overwrite
              The filenamedb is the security database name to be used. The filenamest is the security template name. If the database and template do not exist in the folder you open when you                  
              issue the command, you must enter the complete path of the file. Use the overwrite parameter to instruct that the database be emptied before loading the security template.                  
              (If you do not specify this, any security settings already in the database may be combined with those in the security template.) A log file is created and placed in the scesrv.log file                  
              located in the <systemroot>\security\Logs folder by default. You can also use the \log parameter and enter your own name for a log file to be created. Use the /quiet parameter                  
              to prevent any data from appearing on the screen during the application.                  
              Step 4: Use the secedit command to apply the template                  
              This command allows you to apply mytemplate.inf using database mydatabase.sdb:
Secedit /configure /db mydatabase.sdb cfg/ mytemplate.inf /overwrite /quiet
              Step 5: Optionally, use a script to apply the command                  
              Use the previous command in a script if you're comfortable doing so. If you are not a scripting wizard, a sample script is available at Microsoft's TechNet resource.                  
              Scroll down to the section on configuring security for workgroup/standalone computers.                  


More checklists from Roberta Bragg

Dig Deeper on Microsoft Hyper-V management