Using Secedit To Apply Security Templates


Secedit /configure /db secedit.sdb /cfg"c:\temp\custom.inf" /silent >nul

This command imports a security template file, “custom.inf” into the workstation’s or server’s local security database. /db must be specified. When specifying the default secuirty database (secedit.sdb,) I found that providing no path worked best. The /cfg option informs Secedit that it is to import the .inf file into the specified database, appending it to any existing .inf files that have already been imported to this system. You can optionally include an /overwrite switch to overwrite all previous configurations for this machine. The /silent option supresses any pop-ups and the >nul hides the command line output stating success or failure of the action.

To create a security template, check out this tip.

To force the template change to take effect right away, use the following command line:

Secedit /refreshpolicy machine_policy /enforce /quiet

To periodically reinforce your security policy, you can issue Secedit commands remotely or through a script. If you arenÂ’t using GPOs to distribute security policy, you can use this command-line method to perform periodic updates of security policy.

By default, when a computer is restarted the settings on that computer will be refreshed. The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there have been any changes.


  • There should be a space between /cfg and "c:\temp... - PtrGk 8 years ago
This post is locked
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ