Security Settings Extension Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In this subject
Resultant Set of Policies
Command Line Tools
Security Settings Policies
Related Information
This section presents an overview of Resultant Set of Policies (RSoP), which you use to determine which policy settings are currently in effect for a computer or user, and to assess how policy settings would affect computers or users if a specific Group Policy object were applied to them. It also describes the Windows Server 2003 command-line tools for configuring and analyzing security settings.
Resultant Set of Policies
Windows XP and the Windows Server 2003 family of operating systems support an enhanced Group Policy infrastructure that utilizes Windows Management Instrumentation (WMI) to collect Group Policy-related data for planning and troubleshooting Group Policy. This structure is the Resultant Set of Policy (RSoP), a query engine that polls existing policy settings and planned policy settings, and then reports the results of those queries. RSoP polls existing policies based on site, domain, domain controller, and organizational unit. RSoP gathers this information from the Common Information Management Object Model (CIMOM) database (also known as the CIM-compliant object repository) by using WMI. Administrators can use RSoP in one of two modes. To determine which policy settings are in effect for a particular computer or user, administrators use Resultant Set of Policy – Logging Mode, and to evaluate how policy settings would affect a computer or user if a specific Group Policy object were applied to users or computers, they use Resultant Set of Policy – Planning Mode.
In Windows Server 2003, you can use the Group Policy Results node Group Policy Management Console (GPMC) to access the Resultant Set of Policy – Logging Mode capabilities. Group Policy Results represents the actual resultant set of policy that was applied to a given user and computer. This information is obtained by directly querying the target user/computer. Each sub-node represents a different RSoP query for a given user/computer combination. The Group Policy Modeling node in GPMC allows administrators to access the Resultant Set of Policy – Planning Mode capabilities of Windows Server 2003.
Note
- As with other Group Policy settings, you must fully test your implementation in a test domain before you deploy your security settings to your production environment.
Some of the security settings extensions of Group Policy provide RSoP classes to represent data pertaining to security policy settings. The Security Policy RSoP Classes section, later in this document, lists the RSoP classes for security policy settings.
On Windows 2000 computers, you can use the Gpresults.exe tool to display information about how Group Policy affects both the currently logged-on user and the computer. For information about the Gpresults syntax, see “IPSec Policy Extension Tools and Settings” in this collection.
The Gpresults command-line tool is available in the Windows 2000 Resource Kit. To download this tool, see the download site for Windows 2000 Server Resource Kit tools.
For more detailed information about RSoP and WMI and to download SDKs, see the Microsoft Platform SDK link on the Web Resources page.
For more information about GPMC, see the Group Policy Management Console link on the Web Resources page.
Security Policy RSoP Classes
The RSoP Windows Management Instrumentation (WMI) Method Provider supports the following security policy classes, as listed in the following table.
Security Policy RSoP Classes
| Class | Description |
|---|---|
RSOP_AuditPolicy |
This class represents the security setting for a local Group Policy that relates to the auditing of an event type. Events can include, among others, system events and account management events. |
RSOP_File |
This class represents a security policy setting that defines the access permissions and audit settings for a securable file system object. |
RSOP_RegistryKey |
This class represents a security policy setting that defines the access permissions and audit settings for a particular registry key. |
RSOP_RegistryValue |
This class represents specific security-related registry values. |
RSOP_RestrictedGroup |
This class represents a security policy setting that defines the members of a restricted (security-sensitive) group. |
RSOP_SecurityEventLogSettingBoolean |
This class represents a security policy setting that determines whether or not guests can access the system, application and security event logs. |
RSOP_SecurityEventLogSettingNumeric |
This class represents a security policy setting that determines numeric properties related to the system, application and security event logs. Properties include the number of days to retain entries and maximum log size. |
RSOP_SecuritySettingBoolean |
This class represents the Boolean security setting for an account policy. Account policies include password policies and account lockout policies. |
RSOP_SecuritySettingNumeric |
This class represents the numeric security setting for an account policy. Account policies include password policies, account lockout policies, and Kerberos-related policies. |
RSOP_SecuritySettings |
This is the abstract class from which other RSoP security classes derive. Instances of this class are not logged. RSOP_SecuritySettings derives from the RSOP_PolicySetting class. |
RSOP_SecuritySettingString |
This class represents the string security setting for an account policy. |
RSOP_SystemService |
This class represents the security policy setting that defines the start-up mode and access permissions for a particular system service. |
RSOP_UserPrivilegeRight |
This class represents the security setting for a local Group Policy that relates to the assignment of a particular user privilege. |
RSOP_PolicySetting
The RSOP_PolicySetting WMI class is the class from which policy objects for client-side extensions are inherited. An instance of this class corresponds to a specific policy setting. This class was added for Windows XP.
Requirements for this class are as follows:
Client: Included in Windows XP Professional.
Server: Included in Windows Server 2003.
Command Line Tools
This section describes the Windows Server 2003 command line tools for configuring, analyzing, and updating security settings:
Secedit.exe
Gpupdate.exe
Secedit.exe
You can use the secedit.exe command to configure and analyze system security by comparing your current configuration to at least one template.
Note
- Secedit /refreshpolicy has been replaced with gpupdate. To refresh local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings, use gpudate. See “Gpupdate,” later in this section.
Secedit supports the following commands:
analyze
configure
export
import
validate
generateRollback
Secedit /analyze
This command allows you to analyze the security settings on a computer by comparing them against the baseline settings in a database. You can view the results of the analysis in the Security Configuration and Analysissnap-in.
Syntax
secedit /analyze /dbFileName.sdb [/cfgFileName] [/overwrite] [/logFileName] [/quiet]
Parameters
/dbFileName**.sdb**
This parameter specifies the database used to perform the analysis.
/cfgFileName
This parameter specifies a security template to import into the database prior to performing the analysis. Security templates are created using the Security Templates snap-in.
/logFileName
This parameter specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file which is located in the %windir%\security\logs directory.
/quiet
This parameter specifies that the analysis process should take place without further comments.
Examples
The following is an example of how you can use this command:
secedit /analyze /db hisecws.sdb
Secedit /configure
You can use secedit /configure to configure local computer security by applying the settings stored in a database.
Syntax
secedit/configure/db FileName [/cfg FileName ] [/overwrite][/areasArea1 Area2 ...] [/logFileName] [/quiet]
Parameters
/dbFileName
This parameter specifies the database used to perform the security configuration.
/cfgFileName
This parameter specifies a security template to import into the database prior to configuring the computer. Security templates are created using the Security Templates snap-in.
/overwrite
This parameter specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated in the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings take precedence.
/areasArea1Area2
This parameter specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:
| Area name | Description |
|---|---|
SECURITYPOLICY |
This includes Account Policies, Audit Policy, Event Log settings, and Security Options. |
GROUP_MGMT |
This includes Restricted Groups settings. |
USER_RIGHTS |
This includes User Rights Assignment. |
REGKEYS |
This includes Registry permissions. |
FILESTORE |
This includes File System permissions. |
SERVICES |
This includes System Services settings. |
/logFileName
This parameter specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file, which is located in the %windir%\security\logs directory.
/quiet
This parameter specifies that the configuration process should take place without prompting the user.
Examples
The following are examples of how you can use this command:
secedit/configure /db hisecws.sdb**/cfg**FileName
hisecws.inf/overwrite/loghisecws.log
If dbFileName (database filename) doesn’s exist, secedit creates a new database using the settings in cfgFileName (template filename) and applies the configuration. If dbFileName exists, then secedit merges the settings into the database before applying the newly merged configuration. If you omit cfgFileName, secedit applies the configuration using the settings already stored in the database.
Secedit /export
Running secedit /export allows you to export the security settings stored in the database.
Syntax
secedit/export [/DBFileName] [/mergedpolicy] [/CFG FileName] [/areasArea1 Area2 ...] [/logFileName] [/quiet]
Parameters
/dbFileName
This parameter specifies the database used to configure security.
/mergedpolicy
This parameter merges and exports domain and local policy security settings.
/CFGFileName
This parameter specifies the template the settings will be exported to.
/areasArea1 Area2
This parameter specifies the security areas to be exported to a template. If an area is not specified, all areas are exported. Each area should be separated by a space. The following table lists the security areas that can be exported.
Security Areas and Descriptions
| Area name | Description |
|---|---|
SECURITYPOLICY |
This includes Account Policies, Audit Policy, Event Log settings, and Security Options. |
GROUP_MGMT |
This includes Restricted Groups settings. |
USER_RIGHTS |
This includes User Rights Assignment. |
REGKEYS |
This includes Registry permissions. |
FILESTORE |
This includes File System permissions. |
SERVICES |
This includes System Services settings. |
/logFileName
This parameter specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.
/quiet
This parameter specifies that the configuration process should take place without prompting the user.
Examples
The following is an example of how you can use this command:
secedit /export /db hisecws.inf /log hisecws.log
Secedit /import
Running secedit /import allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.
Syntax
secedit/import/dbFileName.sdb/cfgFileName.inf [/overwrite] [/areasArea1 Area2 ...] [/logFileName] [/quiet]
Parameters
/dbFileName**.sdb**
This parameter specifies the database to which the security template settings will be imported.
/CFGFileName
This parameter specifies a security template to import into the database. Security templates are created using the Security Templates snap-in.
/overwriteFileName
This parameter specifies that the database contents should be cleared prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated in the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings take precedence.
/areasArea1 Area2
This parameter specifies the security areas to be exported to a template, as listed in the following table. If an area is not specified, all areas are exported. Each area should be separated by a space.
| Area name | Description |
|---|---|
SECURITYPOLICY |
This includes Account Policies, Audit Policy, Event Log settings, and Security Options. |
GROUP_MGMT |
This includes Restricted Groups settings. |
USER_RIGHTS |
This includes User Rights Assignment. |
REGKEYS |
This includes Registry permissions. |
FILESTORE |
This includes File System permissions. |
SERVICES |
This includes System Services settings. |
/logFileName
This parameter specifies a file in which to log the status of the export process. If not specified, the default is %windir%\security\logs\scesrv.log.
/quiet
This parameter specifies that the configuration process should take place without prompting the user.
Examples
The following is an example of how you can use this command:
secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite
Secedit /validate
You can use secedit /validate to validate the syntax of a security template to be imported into a database for analysis or application to a system.
Syntax
secedit/validate FileName
Parameters
FileName
This parameter specifies the file name of the security template you have created with Security Templates.
Examples
The following is an example of how you can use this command:
secedit /validate /cfg filename
Secedit /GenerateRollback
You can run secedit / GenerateRollback to generate a rollback template with respect to a configuration template. When applying a configuration template to a computer you have the option of creating rollback template which, when applied, resets the security settings to the values before the configuration template was applied.
Syntax
secedit /GenerateRollback/CFG FileName.inf /RBK SecurityTemplatefilename.inf [/logRollbackFileName.inf] [/quiet]
Parameters
/CFGFileName
This parameter specifies the file name of the security template for which you want to create a rollback template of.
/RBK FileName
This parameter specifies the file name of the security template that will be created as the rollback template.
Gpupdate
You can use gpupdate to refresh local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings. This command supersedes the now obsolete /refreshpolicy option for the secedit command.
Syntax
gpupdate [/target:{computer | user}] [/force] [/wait:Value] [/logoff] [/boot]
Parameters
/target:{computer | user}
This parameter specifies to processes only the Computer settings or the current User settings. By default, both the computer settings and the user settings are processed.
/force
Using this parameter ignores all processing optimizations and reapplies all settings.
/wait:Value
Indicates the number of seconds that policy processing must wait to finish. The default is 90 minutes with a randomized delay of up to 30 minutes — for a total maximum refresh interval of up to 120 minutes. 0 equals no wait, and -1 equals wait indefinitely.
/logoff
This parameter specifies that a user log off occurs after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the user logs on, such as user Group Policy Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require the user to log off.
/boot
Using this parameter restarts the computer after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the computer starts up, such as computer Group Policy Software Installation. This option has no effect if there are no extensions called that require the computer to be restarted.
/?
Using this parameter displays help at the command prompt.
Examples
The following examples show how you can use the gpupdate command:
gpupdate
This command triggers a Group Policy refresh.
gpupdate /target:computer
This command triggers a Group Policy refresh of the Computer Settings policies only.
gpupdate /force /wait:100
This command triggers a Group Policy refresh, reapplies all policy settings, and indicates to wait 100 seconds for policy to finish processing.
gpupdate /boot
This command triggers a Group Policy refresh and then causes the computer to restart.
Security Settings Policies
Security Settings include policy settings to control the following aspects of security:
Account Policies
Local Policies
Event Log
Restricted Groups
System Services
Registry
File System
For a description of all security settings policies, see“Security Policy Settings” in the Security Collection.
Related Information
The following resources contain additional information that is relevant to this section.
“Security Policy Settings” in the Security Collection.
“How Core Group Policy Works” in this collection.
“What Is Resultant Set of Policy?” in this collection.
“IPSec Policy Extension Tools and Settings” in this collection.
For information about RSoP and WMI and to download SDKs, see the Microsoft Platform SDK link on the Web Resources page.
For information about GPMC, see the Group Policy Management Console link on the Web Resources page.