secedit命令行操作组策略

此命令的语法为:
secedit [/configure | /analyze | /import | /export | /validate | /generaterollback]

参数:
/quit 安静模式

语法:
secedit /export [/db filename] [/mergedpolicy] /cfg filename [/areas area1 area2...] [/log filename]
参数：
/db filename - 指定要导出数据的数据库。如果没有指定，将使用系统安全数据库。
/cfg filename - 指定要导出数据库内容的安全模板。
/mergedpolicy - 合并并且导出域和本地策略安全设置。
/areas - 指定要应用到系统的安全性范围。如果没有指定此参数，在数据库中定义的所有安全性设置都将应用到系统中。 要配置多个范围，用空格将它们分开。下列安全性范围是受支持的:
* SECURITYPOLICY - 包括帐户策略，审核策略，事件日志设置和安全选项。
* GROUP_MGMT - 包括受限制的组设置
* USER_RIGHTS - 包括用户权限分配
* REGKEYS - 包括注册表权限
* FILESTORE - 包括文件系统权限
* SERVICES - 包括系统服务设置
/log filename - 指定要记录导出操作状态的文件。

#示例1.命令行获取本地安全策略
secedit /export /cfg current.inf /log secedit.log

#Built-In Local Groups 
#Administrators组 *S-1-5-32-544
#Users组 *S-1-5-32-545
#GUESTS组 *S-1-5-32-546
#BUILTIN\ACCOUNT OPERATORS *S-1-5-32-548 (=0x224)
#UILTIN\SERVER OPERATORS *S-1-5-32-549 (=0x225)
#BUILTIN\PRINT OPERATORS *S-1-5-32-550 (=0x226)
#BUILTIN\BACKUP OPERATORS *S-1-5-32-551 (=0x227)
#BUILTIN\REPLICATOR  *S-1-5-32-552 (=0x228) 

$type current.inf
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0 ;是否启用密码复杂度
PasswordHistorySize = 0
LockoutBadCount = 0 ;锁定次数
RequireLogonToChangePassword = 0 ;登录就需要登录密码
ForceLogoffWhenHourExpire = 0    ;强制下线
NewAdministratorName = "Administrator"  ;管理员的默认名称
NewGuestName = "Guest"
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableAdminAccount = 0 ;是否启用管理员账户
EnableGuestAccount = 0
[Event Audit]
AuditSystemEvents =3   ;审核系统事件 成功、失败
AuditLogonEvents = 3
AuditObjectAccess = 3
AuditPrivilegeUse = 2
AuditPolicyChange = 3
AuditAccountManage = 3
AuditProcessTracking = 2 ;审核过程追踪 失败
AuditDSAccess = 1        ;审核目录服务访问 成功
AuditAccountLogon = 3
[Registry Values]
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0"
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
[Privilege Rights]
SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551
SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544
SeCreatePagefilePrivilege = *S-1-5-32-544
SeDebugPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-544
SeAuditPrivilege = *S-1-5-19,*S-1-5-20
SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544,*S-1-5-90-0
SeLoadDriverPrivilege = *S-1-5-32-544
SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559
SeServiceLogonRight = *S-1-5-80-0
SeInteractiveLogonRight = __vmware__,Guest,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeSecurityPrivilege = *S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20
SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551
SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeDenyNetworkLogonRight = Guest
SeDenyInteractiveLogonRight = Guest
SeUndockPrivilege = *S-1-5-32-544,*S-1-5-32-545
SeManageVolumePrivilege = *S-1-5-32-544
SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555
SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeIncreaseWorkingSetPrivilege = *S-1-5-32-545
SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-545
SeCreateSymbolicLinkPrivilege = *S-1-5-32-544
SeDelegateSessionUserImpersonatePrivilege = *S-1-5-32-544
[Version]
signature="$CHICAGO$" //校验非常重要
Revision=1

secedit /configure /db filename [/cfg filename] [/overwrite][/areas area1 area2...] [/log filename] [/quiet]
/overwrite - 指定在导入安全性模板前数据库应该被清空。如果没有指定此参数，在安全性模板中指定的将累积到数据库中。
             #如果没有指定此参数而且在数据库中的设置与要导入的模板冲突，将采用模板中的设置。
/quiet - 指定配置操作的执行不需要提示用户进行任何确认。

secedit /configure /cfg current.inf /overwrite /log hisecws.log #对于所有的文件名，如果没有指定路径，则是用当前目录。

#导入全案策略
secedit /configure /db model.sdb /cfg gp.inf /quiet  #会自动生成 model.sdb
任务成功结束,有关详细信息，请参阅日志 %windir%\security\logs\scesrv.log。

secedit /import /db FileName .sdb /cfg FileName.inf [/overwrite] [/areasArea1 Area2 ...] [/logFileName] [/quiet]

secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite

语法:
secedit /validate FileName
/cfg filename - 指定要验证的安全模板。安全模板是用安全模板管理单元创
建的。

secedit /validate /cfg current.ini
模版验证顺利完成，下列数据被忽略,数据无效。
SeDelegateSessionUserImpersonatePrivilege 不是有效特权。

secedit /analyze /db FileName.sdb [/cfgFileName] [/overwrite] [/logFileName] [/quiet]

secedit /analyze /db current.sdb /log result.txt

语法:
secedit /generaterollback /cfg filename /rbk filename [/log filename] [/quiet]
/db filename - 指定执行复原操作使用的数据库。
/cfg filename - 指定一个将要生成关于它的复原模板的安全模板。安全模板是用安全模板管理单元创建的。
/rbk filename - 指定一个复原信息要写入的安全模板。安全模板是用安全模板管理单元创建的。

示例:对于所有的文件名，如果没有指定路径，则是用当前目录。
secedit /generaterollback /db hisecws.sdb /cfg hisecws.inf /rbk hisecwsrollback.inf /log hisecws.log

 if exist no.txt (del no.txt)
cls
echo 正在进行 "审计与帐户策略" 安全检查
echo > list.txt PasswordComplexity = 1
echo >> list.txt MinimumPasswordLength = 8
echo >> list.txt MaximumPasswordAge = 42
echo >> list.txt MinimumPasswordAge = 1
echo >> list.txt PasswordHistorySize = 5
echo >> list.txt ClearTextPassword = 0
echo >> list.txt ResetLockoutCount = 15
echo >> list.txt LockoutDuration = 15
echo >> list.txt LockoutBadCount = 15
echo >> list.txt AuditPolicyChange = 3
echo >> list.txt AuditLogonEvents = 3
echo >> list.txt AuditObjectAccess = 3
echo >> list.txt AuditPrivilegeUse = 0
echo >> list.txt AuditProcessTracking = 0
echo >> list.txt AuditDSAccess = 0
echo >> list.txt AuditSystemEvents = 3
echo >> list.txt AuditAccountLogon = 3
echo >> list.txt AuditAccountManage = 3

secedit /export /cfg model.inf >nul

for /F "tokens=1,3" %%i in (list.txt) do (
call :Getgp %%i %%j
)
ping 127.0.0.1 /n 2 >nul
del tmp.txt
del list.txt
del model.inf
goto :EOF
:Getgp
find "%1" model.inf >tmp.txt
for /f "skip=2 tokens=3" %%i in (tmp.txt) do (
if "%%i"=="%2" (echo %1=%%i ok) else (echo %1 策略不符合规则>>bad.txt)
)

goto :EOF