Secedit /configure /db secedit.sdb /cfg"c:\temp\custom.inf" /silent >nul

This command imports a security template file, “custom.inf” into the workstation’s or server’s local security database. /db must be specified. When specifying the default secuirty database (secedit.sdb,) I found that providing no path worked best. The /cfg option informs Secedit that it is to import the .inf file into the specified database, appending it to any existing .inf files that have already been imported to this system. You can optionally include an /overwrite switch to overwrite all previous configurations for this machine. The /silent option supresses any pop-ups and the >nul hides the command line output stating success or failure of the action.

To create a security template, check out this tip.

To force the template change to take effect right away, use the following command line:

Secedit /refreshpolicy machine_policy /enforce /quiet

To periodically reinforce your security policy, you can issue Secedit commands remotely or through a script. If you arenÂ’t using GPOs to distribute security policy, you can use this command-line method to perform periodic updates of security policy.

By default, when a computer is restarted the settings on that computer will be refreshed. The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there have been any changes.