RE: secedit.sdb behavior in W2K

From: Sarbjit Singh Gill (
Date: 06/26/02

From: "Sarbjit Singh Gill" <>
To: <>, <>
Date: Wed, 26 Jun 2002 23:42:34 +0800

This link would be useful.
ol/windows2000serv/deploy/confeat/securcon.asp (URL should be in one line)

There is indications that changing setting with the Command Line SCEDIT tool
does immediate updates compare to using the Local Security Policy MMC snap

-----Original Message-----
From: Mike Dapkus []
Sent: Wednesday, June 26, 2002 4:58 AM
Subject: secedit.sdb behavior in W2K

I have a question about local security settings in W2K Server. I had
thought that no matter how a change to the local policy was performed, it
would update and modify secedit.sdb, but this is not the case. When making
modifications to the local security policy via the "Local Security Settings"
mmc snap-in, the file does not get updated. It only seems to get updated
when running the cl utility secedit to apply a policy, or by loading a
pre-defined local security policy in the "Security Configuration and
Analysis" mmc snap-in.

I have tested this by starting out with a "known" local security policy,
then making a particular change (doesn't seem to matter what is changed) to
the policy via the "Local Security Settings" mmc snap-in - the secedit file
does not get modified. If I start out in the same configuration, and make
the same change using a *.sdb file, the secedit file immediately is updated.
Is the policy stored in two different places, depending on which tool you've
used to modify it?

Also, how often do servers reapply the local security policy? It seems like
the "last modified date" of secedit.sdb is never much older than 24 hours,
but I haven't noticed a pattern that repeats itself. A quick search of
MS's site didn't help answering either of these issues.


Win a first-class trip to New Orleans and vacation Elvis Style!.
Enter NOW!