secedit命令行操作组策略

gpedit.msc

<pre class="brush:php;toolbar:false;">此命令的语法为:secedit [/configure | /analyze | /import | /export | /validate | /generaterollback]参数:/quit 安静模式

<pre class="brush:php;toolbar:false;">语法:secedit /export [/db filename] [/mergedpolicy] /cfg filename [/areas area1 area2...] [/log filename]参数：/db filename - 指定要导出数据的数据库。如果没有指定，将使用系统安全数据库。/cfg filename - 指定要导出数据库内容的安全模板。/mergedpolicy - 合并并且导出域和本地策略安全设置。/areas - 指定要应用到系统的安全性范围。如果没有指定此参数，在数据库中定义的所有安全性设置都将应用到系统中。 要配置多个范围，用空格将它们分开。下列安全性范围是受支持的:* SECURITYPOLICY - 包括帐户策略，审核策略，事件日志设置和安全选项。* GROUP_MGMT - 包括受限制的组设置* USER_RIGHTS - 包括用户权限分配* REGKEYS - 包括注册表权限* FILESTORE - 包括文件系统权限* SERVICES - 包括系统服务设置/log filename - 指定要记录导出操作状态的文件。

<pre class="brush:php;toolbar:false;">#示例1.命令行获取本地安全策略secedit /export /cfg current.inf /log secedit.log#Built-In Local Groups #Administrators组 *S-1-5-32-544#Users组 *S-1-5-32-545#GUESTS组 *S-1-5-32-546#BUILTIN\ACCOUNT OPERATORS *S-1-5-32-548 (=0x224)#UILTIN\SERVER OPERATORS *S-1-5-32-549 (=0x225)#BUILTIN\PRINT OPERATORS *S-1-5-32-550 (=0x226)#BUILTIN\BACKUP OPERATORS *S-1-5-32-551 (=0x227)#BUILTIN\REPLICATOR  *S-1-5-32-552 (=0x228) $type current.inf[Unicode]Unicode=yes[System Access]MinimumPasswordAge = 0MaximumPasswordAge = 42MinimumPasswordLength = 0PasswordComplexity = 0 ;是否启用密码复杂度PasswordHistorySize = 0LockoutBadCount = 0 ;锁定次数RequireLogonToChangePassword = 0 ;登录就需要登录密码ForceLogoffWhenHourExpire = 0    ;强制下线NewAdministratorName = "Administrator"  ;管理员的默认名称NewGuestName = "Guest"ClearTextPassword = 0LSAAnonymousNameLookup = 0EnableAdminAccount = 0 ;是否启用管理员账户EnableGuestAccount = 0[Event Audit]AuditSystemEvents =3   ;审核系统事件 成功、失败AuditLogonEvents = 3AuditObjectAccess = 3AuditPrivilegeUse = 2AuditPolicyChange = 3AuditAccountManage = 3AuditProcessTracking = 2 ;审核过程追踪 失败AuditDSAccess = 1        ;审核目录服务访问 成功AuditAccountLogon = 3[Registry Values]MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10"MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0"MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersionMACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLogMACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1[Privilege Rights]SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544SeCreatePagefilePrivilege = *S-1-5-32-544SeDebugPrivilege = *S-1-5-32-544SeRemoteShutdownPrivilege = *S-1-5-32-544SeAuditPrivilege = *S-1-5-19,*S-1-5-20SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544SeIncreaseBasePriorityPrivilege = *S-1-5-32-544,*S-1-5-90-0SeLoadDriverPrivilege = *S-1-5-32-544SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559SeServiceLogonRight = *S-1-5-80-0SeInteractiveLogonRight = __vmware__,Guest,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551SeSecurityPrivilege = *S-1-5-32-544SeSystemEnvironmentPrivilege = *S-1-5-32-544SeProfileSingleProcessPrivilege = *S-1-5-32-544SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551SeTakeOwnershipPrivilege = *S-1-5-32-544SeDenyNetworkLogonRight = GuestSeDenyInteractiveLogonRight = GuestSeUndockPrivilege = *S-1-5-32-544,*S-1-5-32-545SeManageVolumePrivilege = *S-1-5-32-544SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6SeIncreaseWorkingSetPrivilege = *S-1-5-32-545SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-545SeCreateSymbolicLinkPrivilege = *S-1-5-32-544SeDelegateSessionUserImpersonatePrivilege = *S-1-5-32-544[Version]signature="$CHICAGO$" //校验非常重要Revision=1

<pre class="brush:php;toolbar:false;">secedit /configure /db filename [/cfg filename] [/overwrite][/areas area1 area2...] [/log filename] [/quiet]/overwrite - 指定在导入安全性模板前数据库应该被清空。如果没有指定此参数，在安全性模板中指定的将累积到数据库中。             #如果没有指定此参数而且在数据库中的设置与要导入的模板冲突，将采用模板中的设置。/quiet - 指定配置操作的执行不需要提示用户进行任何确认。

<pre class="brush:php;toolbar:false;">secedit /configure /cfg current.inf /overwrite /log hisecws.log #对于所有的文件名，如果没有指定路径，则是用当前目录。#导入全案策略secedit /configure /db model.sdb /cfg gp.inf /quiet  #会自动生成 model.sdb任务成功结束,有关详细信息，请参阅日志 %windir%\security\logs\scesrv.log。

<pre class="brush:php;toolbar:false;">secedit /import /db FileName .sdb /cfg FileName.inf [/overwrite] [/areasArea1 Area2 ...] [/logFileName] [/quiet]

<pre class="brush:php;toolbar:false;">secedit /import /db hisecws.sdb /cfg hisecws.inf /overwrite

<pre class="brush:php;toolbar:false;">语法:secedit /validate FileName/cfg filename - 指定要验证的安全模板。安全模板是用安全模板管理单元创建的。

<pre class="brush:php;toolbar:false;">secedit /validate /cfg current.ini模版验证顺利完成，下列数据被忽略,数据无效。SeDelegateSessionUserImpersonatePrivilege 不是有效特权。

<pre class="brush:php;toolbar:false;">secedit /analyze /db FileName.sdb [/cfgFileName] [/overwrite] [/logFileName] [/quiet]

<pre class="brush:php;toolbar:false;">secedit /analyze /db current.sdb /log result.txt

<pre class="brush:php;toolbar:false;">语法:secedit /generaterollback /cfg filename /rbk filename [/log filename] [/quiet]/db filename - 指定执行复原操作使用的数据库。/cfg filename - 指定一个将要生成关于它的复原模板的安全模板。安全模板是用安全模板管理单元创建的。/rbk filename - 指定一个复原信息要写入的安全模板。安全模板是用安全模板管理单元创建的。示例:对于所有的文件名，如果没有指定路径，则是用当前目录。secedit /generaterollback /db hisecws.sdb /cfg hisecws.inf /rbk hisecwsrollback.inf /log hisecws.log

<pre class="brush:php;toolbar:false;"> if exist no.txt (del no.txt)clsecho 正在进行 "审计与帐户策略" 安全检查echo > list.txt PasswordComplexity = 1echo >> list.txt MinimumPasswordLength = 8echo >> list.txt MaximumPasswordAge = 42echo >> list.txt MinimumPasswordAge = 1echo >> list.txt PasswordHistorySize = 5echo >> list.txt ClearTextPassword = 0echo >> list.txt ResetLockoutCount = 15echo >> list.txt LockoutDuration = 15echo >> list.txt LockoutBadCount = 15echo >> list.txt AuditPolicyChange = 3echo >> list.txt AuditLogonEvents = 3echo >> list.txt AuditObjectAccess = 3echo >> list.txt AuditPrivilegeUse = 0echo >> list.txt AuditProcessTracking = 0echo >> list.txt AuditDSAccess = 0echo >> list.txt AuditSystemEvents = 3echo >> list.txt AuditAccountLogon = 3echo >> list.txt AuditAccountManage = 3secedit /export /cfg model.inf >nulfor /F "tokens=1,3" %%i in (list.txt) do (call :Getgp %%i %%j)ping 127.0.0.1 /n 2 >nuldel tmp.txtdel list.txtdel model.infgoto :EOF:Getgpfind "%1" model.inf >tmp.txtfor /f "skip=2 tokens=3" %%i in (tmp.txt) do (if "%%i"=="%2" (echo %1=%%i ok) else (echo %1 策略不符合规则>>bad.txt))goto :EOF