How do I restore security settings to the default settings?

This article helps you restore the security settings to the default settings in Windows XP and in Windows Vista. You should use this solution only when a security change that had negative effects has been applied to the computer and when no backup is available from which to restore. This solution does not restore all security settings that are applied when you install Windows.

To have us fix this problem for you, go to the “Fix it for me” section. If you’d rather fix this problem yourself, go to the “Let me fix it myself” section.

To fix this problem automatically, click the Fix this problem link. Then, click Run in the File Download dialog box, and follow the steps in this wizard.

Fix this problem
Microsoft Fix it 50198

Notes

• This wizard may be in English only; however, the automatic fix also works for other language versions of Windows.
• If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD so that you can run it on the computer that has the problem.

Next steps After you run this Microsoft Fix it, go to the "Did this fix the problem?" section.

Sample command to reset security settings

The steps below do not apply to Windows XP Home Edition, or Windows Vista Home Basic and Home Premium editions. To restore security setting for Home editions, either use the Microsoft Fix, System Restore or a backup.Note After security settings are applied, you cannot undo the changes without restoring from a backup. If you are uncertain about how to restore your security settings to the default settings, you must make a complete backup that includes the System State (the registry files). Items that are reset include NTFS file system files and folders, the registry, policies, services, permissions , and group membership.

To restore your operating system to the original installation default security settings, follow these steps:

1. Open a new Command Prompt:
2. 
   In Windows XP
   • Click Start, click Run, type cmd, and then press ENTER.
   In Windows Vista
   • Click Start and then type cmd in the Start Search box.
   • In the results area, right-click cmd.exe, and then click Run as administrator. You will be prompted to type the password for an administrator account. Click Continue if you are the administrator or type the administrator password. Then, click Continue.
3. In Windows XP, type the following command, and then press ENTER:
   secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
   In Windows Vista, type the following command, and then press ENTER:
   secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
   You receive a "Task is completed" message and a warning message that something could not be done. You can safely ignore this message. For more information about this message, see the %windir%\Security\Logs\Scesrv.log file.

Next steps After you run this Microsoft Fix it (or complete these manual steps), standard user accounts may no longer appear on the log on screen when you start your computer or try to switch users. This occurs because standard user accounts are removed from the Users group when you reset Windows security settings. To add the affected users accounts back to the Users group, follow these steps:

1. Click Start, and then All Programs. Or click Programs.
2. Click Accessories, and then click Command Prompt (Windows XP). Or right-click Command Prompt, and then click Run As Administrator (Windows Vista).
3. In the Command Prompt window, type net users and then press ENTER. A list of user accounts is displayed.
4. For each accountname listed in the Command Prompt that is missing from the log on or switch user screen, type the following command and then press ENTER:
   
   net localgroup users accountname /add
5. Now go to the "Did this fix the problem?" section.

More information In Windows Vista, the Defltbase.inf file is a Security configuration template for the default security. You can view the settings for this file in the following location:

Secedit parameters description

• /configure: Specifies that Secedit.exe sets system security settings.
• /DB file_name: Provides the path of a database that contains the security template to be applied. This is a required argument. However, the database file does not have to exist if you use the /CFG switch to specify a security template.
• /CFG file_name: This argument is valid only when you use it with the /DB parameter. It is the path of the security template that will be imported into the database and applied to the system. If you do not specify this argument, the template that is already stored in the database is applied.
• /overwrite: This argument is valid only when the /CFG argument is also used. This argument specifies whether the security template in the /CFG argument overwrites any template or composite template that is stored in the database instead of appending the results to the stored template. If this is not specified, the template in the /CFG argument is appended to the stored template.
• /areas AreaName1AreaName2...: Specifies the security areas to be applied to the system. The default is "all areas." Each area must be separated by a space.
  Collapse this tableExpand this table

  AreaNameX	Description
  SECURITYPOLICY	Local policy and domain policy for the system. This includes account policies, audit policies, and other policies.
  GROUP_MGMT	Restricted group settings for any groups that are specified in the security template.
  USER_RIGHTS	User logon rights and granting of permissions.
  REGKEYS	Security on local registry keys.
  FILESTORE	Security on local file storage.
  SERVICES	Security for all defined services.

  Note Each area coincides with a similar name in the security template.
• /log logpath: You can use this switch to configure the location of the log file that tracks the changes.
• /verbose: Specifies more detailed progress information.
• /quiet: Reduces the feedback that is provided during the update on the screen and in the log file.

For online Help about Secedit, click Start, click Run, type %windir%\help\secedit.chm, and then press ENTER.

Check whether the problem is fixed. If the problem is fixed, you are finished with this article. If the problem is not fixed, you can contact support (http://support.microsoft.com/contactus) .