How to reset Security settings back to the default in Windows Operating Systems (Windows XP, Windows Server 2K3, Windows Vista).
Summery
This step-by-step article describes how to set the security settings in Microsoft Windows XP Professional
and in Windows Vista back to the default settings for a disaster recovery scenario. You should should only follow
these steps when a security change has been applied to the computer that has negative affects and when no
backup is available to restore from. The Secsetup.inf template does not contain a full copy of the security
settings that are applied during setup.
More Information
and in Windows Vista back to the default settings for a disaster recovery scenario. You should should only follow
these steps when a security change has been applied to the computer that has negative affects and when no
backup is available to restore from. The Secsetup.inf template does not contain a full copy of the security
settings that are applied during setup.
More Information
Sample command to reset security settings
Note After security settings are applied, you cannot undo the changes without restoring from a backup.
If you are uncertain about resetting your security settings back to the default security settings, you must
make a complete backup that includes the "System State" (the registry files). Items that are reset include
NTFS file system files and folders, the registry, policies, services, privilege rights, and group membership.
To reset your operating system back to original installation default security settings:
1. Click Start, click Run, type cmd, and then press ENTER.
(You may see an error sometimes. Therefor don't forget to run COMMAND prompt
using Run as Administrator option)
2. For Windows XP, type the following command, and then press ENTER:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
For Windows Vista, type the following command, and then press ENTER:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
You receive a "Task is completed" message, and a warning message that something could not be done.
You can safely ignore this message. For more information about this message,
view the %windir%\Security\Logs\Scesrv.log file.
Note: In Windows Vista, the defltbase.inf file is a Security configuration template for the default security.
You can view the settings for this file in the following location:
%windir%\inf\defltbase.inf
Next steps After you complete these steps, standard user accounts may no longer appear on the log on
screen when you start your computer or try to switch users. This occurs because standard user accounts
are removed from the Users group when you reset Windows security settings. To add the affected users
accounts back to the Users group, follow these steps:
1. Click Start, and then All Programs. Or click Programs.
2. Click Accessories, and then click Command Prompt (Windows XP). Or right-click Command Prompt,
and then click Run As Administrator (Windows Vista).
3. In the Command Prompt window, type net users and then press ENTER. A list of user accounts is
displayed.
4. For each accountname listed in the Command Prompt that is missing from the log on or switch user
screen, type the following command and then press ENTER:
net localgroup users accountname /add
More information In Windows Vista, the Defltbase.inf file is a Security configuration template for the default
security. You can view the settings for this file in the following location:
%windir%\inf\defltbase.inf
Secedit parameters
• /configure - Specifies that Secedit.exe should set system security settings.
• /DB filename - Provides the path to a database that contains the security template to be applied.
This is a required argument, but the database file does not have to exist if you use the /CFG switch
to specify a security template.
• /CFG filename - This argument is only valid when you use it with the /DB parameter. It is the path to
the security template that will be imported into the database and applied to the system. If you do not
specify this argument, the template that is already stored in the database will be applied.
• /overwrite - This argument is only valid when the /CFG argument is also used. This specifies whether the
security template in the /CFG argument overwrites any template or composite template that is stored in
the database instead of appending the results to the stored template. If this is not specified, the template
in the /CFG argument will be appended to the stored template.
• /areas AreaName1AreaName2... Specifies the security areas to be applied to the system. The default is
"all areas." Each area must be separated by a space.
AreaNameX - Description
SECURITYPOLICY - Local policy and domain policy for the system, including account policies,
audit policies, and other policies.
GROUP_MGMT - Restricted group settings for any groups that are specified in the security template.
USER_RIGHTS - User logon rights and granting of privileges.
REGKEYS - Security on local registry keys.
FILESTORE - Security on local file storage.
SERVICES - Security for all defined services.
Note: Each of these areas coincide with similar names in the Security Template.
• /log logpath - You can use this switch to configure the location of the log file that tracks the changes.
• /verbose - Specifies more detailed progress information.
• /quiet - Minimize the amount of feedback that is provided during the update on the screen and in the log file.
For online help about Secedit, click Start, click Run, type %windir%\help\secedit.chm, and then press ENTER.
0 comments:
Post a Comment