1. Open Security Configuration and Analysis.
2. In the console tree, right-click Security Configuration and Analysis, and then click Open Database.

   Where?

   • ConsoleRoot
   • Security Configuration and Analysis
3. In File name, type the file name, and then click Open.
4. Do one of the following:
   • For a domain controller, in the console tree, right-click Security Configuration and Analysis, click Import Template, and then click DC security.
   • For other computers, in the console tree, right-click Security Configuration and Analysis, click Import Template, and then click setup security.
5. Select the Clear this database before importing check box, and then click Open.
6. In the console tree, right-click Security Configuration and Analysis, and then click Configure Computer Now.
7. Do one of the following:
   • To use the default log specified in Error log file path, click OK.
   • To specify a different log, in Error log file path, type a valid path and file name, and then click OK.
8. When the configuration is done, right-click Security Configuration and Analysis, and then click View Log File.

Important

• Applying the entire setup security template is a drastic measure that should be avoided. Instead, use the secedit command-line tool to apply default settings for specific areas. See the Using a command line section of this procedure.

Notes

• Different permissions are required to perform this procedure, depending on the environment in which you reapply default security settings:
  • If you reapply default security settings to your local computer: XOX
  • If you reapply default security settings to a computer that is joined to a domain: XOX
• To open Security Configuration and Analysis, click Start, click Run, type mmc, and then click OK. On the File menu, click Open, click the console that you want to open, and then click Open. In the console tree, click Security Configuration and Analysis.
• The default path for the log file is:

  systemroot\Documents and Settings\UserAccount\My Documents\Security\Logs\

• When you reapply default security settings, all settings that are defined in Setup security.inf are set as the template specifies, but other settings that are not defined in the template may persist. For more information, see Persistence in security settings.

• Open Command Prompt.
• For a server or workstation, type:

  secedit /configure /DB FileName /CFG "%windir%\Security\Templates\Setup security.inf" [/overwrite][/areas Area1 Area2...] [/log LogPath] [/quiet]

  For a domain controller, type:

  secedit /configure /DB FileName /CFG "%windir%\Security\Templates\DC security.inf" [/overwrite][/areas Area1 Area2...] [/log LogPath] [/quiet]

Argument	Description
/DB FileName	Required. Provides the path to a database that contains the security template that should be applied. To create a new database, type the database file name and path.
/CFG "%windir%\Security\Templates\Setup security.inf"	Specifies the Setup Security.inf template that contains the default security settings.
/overwrite	Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.
/areas Area1 Area2...	Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported: Area name Description SECURITYPOLICY Includes account policies, audit policies, event log settings, and security options. GROUP_MGMT Includes Restricted Group settings. USER_RIGHTS Includes user rights assignment. REGKEYS Includes registry permissions. FILESTORE Includes file system permissions. SERVICES Includes System Service settings.
/log LogPath	Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the Scesrv.log file, which is located in the %windir%\Security\Logs folder.
/quiet	Specifies that the configuration process should take place without prompting the user.

Important

• It is advisable to apply Setup security in parts using the Areas parameter, so you can have control over which parts you are restoring.

Notes

• Different permissions are required to perform this procedure, depending on the environment in which you reapply default security settings:
  • If you reapply default security settings to your local computer: XOX
  • If you reapply default security settings to a computer that is joined to a domain: XOX
• XOX
• To view the complete syntax for this command, at a command prompt, type:
  

  secedit /?

Related Topics