secedit命令行操作组策略

[toc]

描述:组策略是建立Windows安全环境的重要手段，尤其是在Windows域环境下;系统管理员肯定使用

gpedit.msc

WeiyiGeek.gpedit.msc

组策略的计算机安全策略模板存放路径

系统默认的安全数据库路径

如果没有/log指定配置操作信息将被记录到scesrv.log

WeiyiGeek.secedit.sdb

基础语法:

此命令的语法为:secedit [/configure | /analyze | /import | /export | /validate | /generaterollback]参数:/quit 安静模式

描述:允许你导出保存在数据库中的安全设置。

语法:secedit /export [/db filename] [/mergedpolicy] /cfg filename [/areas area1 area2...] [/log filename]参数：/db filename - 指定要导出数据的数据库。如果没有指定，将使用系统安全数据库。/cfg filename - 指定要导出数据库内容的安全模板。/mergedpolicy - 合并并且导出域和本地策略安全设置。/areas - 指定要应用到系统的安全性范围。如果没有指定此参数，在数据库中定义的所有安全性设置都将应用到系统中。 要配置多个范围，用空格将它们分开。下列安全性范围是受支持的:* SECURITYPOLICY - 包括帐户策略，审核策略，事件日志设置和安全选项。* GROUP_MGMT - 包括受限制的组设置* USER_RIGHTS - 包括用户权限分配* REGKEYS - 包括注册表权限* FILESTORE - 包括文件系统权限* SERVICES - 包括系统服务设置/log filename - 指定要记录导出操作状态的文件。

基础信息:

#示例1.命令行获取本地安全策略secedit /export /cfg current.inf /log secedit.log#Built-In Local Groups #Administrators组 *S-1-5-32-544#Users组 *S-1-5-32-545#GUESTS组 *S-1-5-32-546#BUILTIN\ACCOUNT OPERATORS *S-1-5-32-548 (=0x224)#UILTIN\SERVER OPERATORS *S-1-5-32-549 (=0x225)#BUILTIN\PRINT OPERATORS *S-1-5-32-550 (=0x226)#BUILTIN\BACKUP OPERATORS *S-1-5-32-551 (=0x227)#BUILTIN\REPLICATOR  *S-1-5-32-552 (=0x228) $type current.inf[Unicode]Unicode=yes[System Access]MinimumPasswordAge = 0MaximumPasswordAge = 42MinimumPasswordLength = 0PasswordComplexity = 0 ;是否启用密码复杂度PasswordHistorySize = 0LockoutBadCount = 0 ;锁定次数RequireLogonToChangePassword = 0 ;登录就需要登录密码ForceLogoffWhenHourExpire = 0    ;强制下线NewAdministratorName = "Administrator"  ;管理员的默认名称NewGuestName = "Guest"ClearTextPassword = 0LSAAnonymousNameLookup = 0EnableAdminAccount = 0 ;是否启用管理员账户EnableGuestAccount = 0[Event Audit]AuditSystemEvents =3   ;审核系统事件 成功、失败AuditLogonEvents = 3AuditObjectAccess = 3AuditPrivilegeUse = 2AuditPolicyChange = 3AuditAccountManage = 3AuditProcessTracking = 2 ;审核过程追踪 失败AuditDSAccess = 1        ;审核目录服务访问 成功AuditAccountLogon = 3[Registry Values]MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10"MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0"MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersionMACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLogMACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1[Privilege Rights]SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544SeCreatePagefilePrivilege = *S-1-5-32-544SeDebugPrivilege = *S-1-5-32-544SeRemoteShutdownPrivilege = *S-1-5-32-544SeAuditPrivilege = *S-1-5-19,*S-1-5-20SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544SeIncreaseBasePriorityPrivilege = *S-1-5-32-544,*S-1-5-90-0SeLoadDriverPrivilege = *S-1-5-32-544SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559SeServiceLogonRight = *S-1-5-80-0SeInteractiveLogonRight = __vmware__,Guest,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551SeSecurityPrivilege = *S-1-5-32-544SeSystemEnvironmentPrivilege = *S-1-5-32-544SeProfileSingleProcessPrivilege = *S-1-5-32-544SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551SeTakeOwnershipPrivilege = *S-1-5-32-544SeDenyNetworkLogonRight = GuestSeDenyInteractiveLogonRight = GuestSeUndockPrivilege = *S-1-5-32-544,*S-1-5-32-545SeManageVolumePrivilege = *S-1-5-32-544SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6SeIncreaseWorkingSetPrivilege = *S-1-5-32-545SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-545SeCreateSymbolicLinkPrivilege = *S-1-5-32-544SeDelegateSessionUserImpersonatePrivilege = *S-1-5-32-544[Version]signature="$CHICAGO$" //校验非常重要Revision=1

描述:允许你用保存在数据库中的安全性设置来配置系统。

PixVerse

PixVerse是一款强大的AI视频生成工具，可以轻松地将多种输入转化为令人惊叹的视频。

下载

secedit /configure /db filename [/cfg filename] [/overwrite][/areas area1 area2...] [/log filename] [/quiet]/overwrite - 指定在导入安全性模板前数据库应该被清空。如果没有指定此参数，在安全性模板中指定的将累积到数据库中。             #如果没有指定此参数而且在数据库中的设置与要导入的模板冲突，将采用模板中的设置。/quiet - 指定配置操作的执行不需要提示用户进行任何确认。

基础示例:

secedit /configure /cfg current.inf /overwrite /log hisecws.log #对于所有的文件名，如果没有指定路径，则是用当前目录。#导入全案策略secedit /configure /db model.sdb /cfg gp.inf /quiet  #会自动生成 model.sdb任务成功结束,有关详细信息，请参阅日志 %windir%\security\logs\scesrv.log。

可将安全性模板导入到数据库以便模板中指定的设置可应用到系统或作为分析系统的依据。

secedit /import /db FileName .sdb /cfg FileName.inf [/overwrite] [/areasArea1 Area2 ...] [/logFileName] [/quiet]

基础示例:

secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite

描述:验证要导入到分析数据库或系统应用程序的安全模板的语法,在不同的系统下执行配置文件中的参数是不同的;

语法:secedit /validate FileName/cfg filename - 指定要验证的安全模板。安全模板是用安全模板管理单元创建的。

基础示例:

secedit /validate /cfg current.ini模版验证顺利完成，下列数据被忽略,数据无效。SeDelegateSessionUserImpersonatePrivilege 不是有效特权。

可通过将其与数据库中的基本设置相比较，分析一台计算机上的安全设置。

secedit /analyze /db FileName.sdb [/cfgFileName] [/overwrite] [/logFileName] [/quiet]

基础示例:

secedit /analyze /db current.sdb /log result.txt

WeiyiGeek.

描述：可根据配置模板生成一个回滚模板。在将配置模板应用到计算机上时，可以选择创建回滚模板，该模板在应用时会将安全性设置重置为应用配置模板前的值。

语法:secedit /generaterollback /cfg filename /rbk filename [/log filename] [/quiet]/db filename - 指定执行复原操作使用的数据库。/cfg filename - 指定一个将要生成关于它的复原模板的安全模板。安全模板是用安全模板管理单元创建的。/rbk filename - 指定一个复原信息要写入的安全模板。安全模板是用安全模板管理单元创建的。示例:对于所有的文件名，如果没有指定路径，则是用当前目录。secedit /generaterollback /db hisecws.sdb /cfg hisecws.inf /rbk hisecwsrollback.inf /log hisecws.log

 if exist no.txt (del no.txt)clsecho 正在进行 "审计与帐户策略" 安全检查echo > list.txt PasswordComplexity = 1echo >> list.txt MinimumPasswordLength = 8echo >> list.txt MaximumPasswordAge = 42echo >> list.txt MinimumPasswordAge = 1echo >> list.txt PasswordHistorySize = 5echo >> list.txt ClearTextPassword = 0echo >> list.txt ResetLockoutCount = 15echo >> list.txt LockoutDuration = 15echo >> list.txt LockoutBadCount = 15echo >> list.txt AuditPolicyChange = 3echo >> list.txt AuditLogonEvents = 3echo >> list.txt AuditObjectAccess = 3echo >> list.txt AuditPrivilegeUse = 0echo >> list.txt AuditProcessTracking = 0echo >> list.txt AuditDSAccess = 0echo >> list.txt AuditSystemEvents = 3echo >> list.txt AuditAccountLogon = 3echo >> list.txt AuditAccountManage = 3secedit /export /cfg model.inf >nulfor /F "tokens=1,3" %%i in (list.txt) do (call :Getgp %%i %%j)ping 127.0.0.1 /n 2 >nuldel tmp.txtdel list.txtdel model.infgoto :EOF:Getgpfind "%1" model.inf >tmp.txtfor /f "skip=2 tokens=3" %%i in (tmp.txt) do (if "%%i"=="%2" (echo %1=%%i ok) else (echo %1 策略不符合规则>>bad.txt))goto :EOF