secedit.sdb behavior in W2K

From: Mike Dapkus (
Date: 06/25/02

Date: Tue, 25 Jun 2002 15:57:54 -0500
From: "Mike Dapkus" <>

I have a question about local security settings in W2K Server. I had thought that no matter how a change to the local policy was performed, it would update and modify secedit.sdb, but this is not the case. When making modifications to the local security policy via the "Local Security Settings" mmc snap-in, the file does not get updated. It only seems to get updated when running the cl utility secedit to apply a policy, or by loading a pre-defined local security policy in the "Security Configuration and Analysis" mmc snap-in.

I have tested this by starting out with a "known" local security policy, then making a particular change (doesn't seem to matter what is changed) to the policy via the "Local Security Settings" mmc snap-in - the secedit file does not get modified. If I start out in the same configuration, and make the same change using a *.sdb file, the secedit file immediately is updated. Is the policy stored in two different places, depending on which tool you've used to modify it?

Also, how often do servers reapply the local security policy? It seems like the "last modified date" of secedit.sdb is never much older than 24 hours, but I haven't noticed a pattern that repeats itself. A quick search of MS's site didn't help answering either of these issues.


Win a first-class trip to New Orleans and vacation Elvis Style!.
Enter NOW!