This step-by-step article describes how to set the security settings in Microsoft Windows XP Professional and in Windows Vista back to the default settings for a disaster recovery scenario. You should should only follow these steps when a security change has been applied to the computer that has negative affects and when no backup is available to restore from. The Secsetup.inf template does not contain a full copy of the security settings that are applied during setup.

Back to the top

Sample command to reset security settings

Note After security settings are applied, you cannot undo the changes without restoring from a backup. If you are uncertain about resetting your security settings back to the default security settings, you must make a complete backup that includes the "System State" (the registry files). Items that are reset include NTFS file system files and folders, the registry, policies, services, privilege rights, and group membership.

To reset your operating system back to original installation default security settings:

1.

Click Start, click Run, type cmd, and then press ENTER.

2.

For Windows XP, type the following command, and then press ENTER: secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose For Windows Vista, type the following command, and then press ENTER: secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose You receive a "Task is completed" message, and a warning message that something could not be done. You can safely ignore this message. For more information about this message, view the %windir%\Security\Logs\Scesrv.log file.

Note In Windows Vista, the defltbase.inf file is a Security configuration template for the default security. You can view the settings for this file in the following location:

Back to the top

Secedit parameters

•	/configure - Specifies that Secedit.exe should set system security settings.
•	/DB filename - Provides the path to a database that contains the security template to be applied. This is a required argument, but the database file does not have to exist if you use the /CFG switch to specify a security template.
•	/CFG filename - This argument is only valid when you use it with the /DB parameter. It is the path to the security template that will be imported into the database and applied to the system. If you do not specify this argument, the template that is already stored in the database will be applied.
•	/overwrite - This argument is only valid when the /CFG argument is also used. This specifies whether the security template in the /CFG argument overwrites any template or composite template that is stored in the database instead of appending the results to the stored template. If this is not specified, the template in the /CFG argument will be appended to the stored template.
•	/areas AreaName1AreaName2... Specifies the security areas to be applied to the system. The default is "all areas." Each area must be separated by a space. AreaNameX - Description SECURITYPOLICY - Local policy and domain policy for the system, including account policies, audit policies, and other policies. GROUP_MGMT - Restricted group settings for any groups that are specified in the security template. USER_RIGHTS - User logon rights and granting of privileges. REGKEYS - Security on local registry keys. FILESTORE - Security on local file storage. SERVICES - Security for all defined services. Note Each of these areas coincide with similar names in the Security Template.
•	/log logpath - You can use this switch to configure the location of the log file that tracks the changes.
•	/verbose - Specifies more detailed progress information.
•	/quiet - Minimize the amount of feedback that is provided during the update on the screen and in the log file.

For online help about Secedit, click Start, click Run, type %windir%\help\secedit.chm, and then press ENTER.

Back to the top