You are on page 1of 3

Sample command to reset security settings

The steps below do not apply to Windows XP Home Edition, or Windows Vista Home Basic and Home

Premium editions. To restore security setting for Home editions, either use the Microsoft Fix, System

Restore or a backup.Note After security settings are applied, you cannot undo the changes without restoring

from a backup. If you are uncertain about how to restore your security settings to the default settings, you

must make a complete backup that includes the System State (the registry files). Items that are reset

include NTFS file system files and folders, the registry, policies, services, permissions , and group


To restore your operating system to the original installation default security settings, follow these steps:

1. Open a new Command Prompt:

In Windows XP
o Click Start, click Run, type cmd, and then press ENTER.

In Windows Vista

o Click Start and then type cmd in the Start Search box.

o In the results area, right-click cmd.exe, and then click Run as administrator. You

will be prompted to type the password for an administrator account. Click Continue if

you are the administrator or type the administrator password. Then, click Continue.

3. In Windows XP, type the following command, and then press ENTER:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

In Windows Vista, type the following command, and then press ENTER:

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

You receive a "Task is completed" message and a warning message that something could not be

done. You can safely ignore this message. For more information about this message, see the

%windir%\Security\Logs\Scesrv.log file.
Next steps After you run this Microsoft Fix it (or complete these manual steps), standard user accounts

may no longer appear on the log on screen when you start your computer or try to switch users. This occurs

because standard user accounts are removed from the Users group when you reset Windows security

settings. To add the affected users accounts back to the Users group, follow these steps:

1. Click Start, and then All Programs. Or click Programs.

2. Click Accessories, and then click Command Prompt (Windows XP). Or right-click

Command Prompt, and then click Run As Administrator (Windows Vista).

3. In the Command Prompt window, type net users and then press ENTER. A list of user

accounts is displayed.

4. For each accountname listed in the Command Prompt that is missing from the log on or

switch user screen, type the following command and then press ENTER:

net localgroup users accountname /add

5. Now go to the "Did this fix the problem?" section.

More information In Windows Vista, the Defltbase.inf file is a Security configuration template for the

default security. You can view the settings for this file in the following location:


Back to the top

Secedit parameters description

• /configure: Specifies that Secedit.exe sets system security settings.

• /DB file_name: Provides the path of a database that contains the security template to be

applied. This is a required argument. However, the database file does not have to exist if you

use the /CFG switch to specify a security template.

• /CFG file_name: This argument is valid only when you use it with the /DB parameter. It

is the path of the security template that will be imported into the database and applied to the

system. If you do not specify this argument, the template that is already stored in the database

is applied.

• /overwrite: This argument is valid only when the /CFG argument is also used. This

argument specifies whether the security template in the /CFG argument overwrites any

template or composite template that is stored in the database instead of appending the results

to the stored template. If this is not specified, the template in the /CFG argument is appended

to the stored template.

• /areas AreaName1AreaName2...: Specifies the security areas to be applied to the

system. The default is "all areas." Each area must be separated by a space.

AreaNameX Description

SECURITYPOLICY Local policy and domain policy for the system. This includes account policies, audit
policies, and other policies.

GROUP_MGMT Restricted group settings for any groups that are specified in the security

USER_RIGHTS User logon rights and granting of permissions.

REGKEYS Security on local registry keys.

FILESTORE Security on local file storage.

SERVICES Security for all defined services.

Note Each area coincides with a similar name in the security template.

• /log logpath: You can use this switch to configure the location of the log file that tracks

the changes.

• /verbose: Specifies more detailed progress information.

• /quiet: Reduces the feedback that is provided during the update on the screen and in the

log file.

For online Help about Secedit, click Start, click Run, type %windir%\help\secedit.chm, and then press


Back to the top