Reset Local Security Policy Settings to Default in Windows  

    Reset Local Security Policy Settings to Default in Windows

    Reset Local Security Policy Settings to Default in Windows

    How to Reset All Local Security Policy Settings to Default in Windows
    Published by Category: General Tips
    14 Jan 2024
    Designer Media Ltd

    How to Reset All Local Security Policy Settings to Default in Windows


    Local Security Policy (secpol.msc) is a Microsoft Management Console (MMC) snap-in with rules that administrators can configure on a computer or multiple devices for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor (gpedit.msc) snap-in allows you to define security configurations as part of a Group Policy Object (GPO).

    This tutorial will show you how to quickly reset all Local Security Policy settings back to default in XP, Vista, Windows 7, Windows 8, and Windows 10.

    Note   Note
    You must be signed in as an administrator to be able to reset all Local Security Policy settings.

    This will not reset Local Security Policy settings for a computer connected to a domain using Active Directory. The network administrator controls these settings instead.

    Local Security Policy will only be available in:
    • XP Professional
    • Vista Business, Ultimate, and Enterprise editions.
    • Windows 7 Professional, Ultimate, and Enterprise editions.
    • Windows 8 Pro and Enterprise editions.
    • Windows 10 Pro, Enterprise, and Education editions.


    EXAMPLE: Local Security Policy settings
    Reset Local Security Policy Settings to Default in Windows-local_security_policy.png
    Reset Local Security Policy Settings to Default in Windows-security_settings_in_local_group_policy_editor.png



    Here's How:

    1 Open an elevated command prompt.

    2 Copy and paste the command below for your Windows into the elevated command prompt, and press Enter. (see screenshot below)

    (For Windows XP)
    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose


    (For Vista, Windows 7, Windows 8, and Windows 10)
    secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

    3 When finished, you can close the elevated command prompt if you like.

    4 Restart the computer to fully apply.

    Reset Local Security Policy Settings to Default in Windows-reset_local_security_policy_settings_command.png


    That's it,
    Shawn Brink






  1. Posts : 13
    windows
       #1

    user account got deleted upon following this


    i followed this procedure and my standard user-account got disabled. the "scesrv.log" confirms this.

    ----Configure Group Membership...
    Configure Users.
    remove LAPTOP\<username>.

    the c:\users\<username> folder is intact. but that user account is not visible in the login-screen, control-panel, netplwiz and settings-app. i forgot to create a system-restore-point before following this. any solution to recover my user-account?

    FEEDBACK: please including a note, warning the readers about this.
      My Computer


  2. Posts : 68,543
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #2

    Hello @naveen1,

    I'm not sure how this would have deleted a user account since it's only resetting the Local Security Policy Settings back to default.

    Just to confirm, did the account get disabled or deleted. If disabled, you should be to just enable it again.

    Enable or Disable Account in Windows 10

    If deleted, you could try creating a new account with the same name, and use the same method in the tutorial below to change the ProfileImagePath value in the registry to use the original profile folder instead.

    Fix You've been signed in with a temporary profile in Windows 10
      My Computers


  3. Posts : 13
    windows
       #3

    thanks for the prompt reply.

    But those links did not help. still no luck. coz secpol.msc is like the master control above all these i guess (i can be wrong).

    can i know the secedit command to reverse this? or a secedit command or secpol policy that enables that standard account back. a secpol alternative for w10 home would help more.

    many thanks in advance.

    PS. if i may suggest, please include a note to remind people to create a system-restore point at the top of this article. though common sense dictates it, some people like me forget this at times.
      My Computer


  4. Posts : 68,543
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #4

    naveen1 said:
    thanks for the prompt reply.

    But those links did not help. still no luck. coz secpol.msc is like the master control above all these i guess (i can be wrong).

    can i know the secedit command to reverse this? or a secedit command or secpol policy that enables that standard account back. a secpol alternative for w10 home would help more.

    many thanks in advance.

    PS. if i may suggest, please include a note to remind people to create a system-restore point at the top of this article. though common sense dictates it, some people like me forget this at times.
    Hello,

    Secpol.msc is not available in the Windows 10 Home edition, so there's nothing to reset for it.

    There is not a reverse for this unless you have a system image to restore. However, it's only resetting the policies back to default.
      My Computers


  5. Posts : 13
    windows
       #5

    ok. can i know the name of the corresponding secpol policy?
      My Computer


  6. Posts : 68,543
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #6

    naveen1 said:
    ok. can i know the name of the corresponding secpol policy?
    Were you able to sign in to an administrator account to see if you may be able to enable your standard user account again?

    Enable or Disable Account in Windows 10

    If all else fails, you could try creating a new standard user account, and change its user profile to the original one instead using the same method below.

    Fix You've been signed in with a temporary profile in Windows 10
      My Computers


  7. Posts : 281
    Win 10 21H2 LTSC
       #7

    Tried this, it reset the account lockout settings, but everything under local policies/security options remains configured, I did reboot.

    Here is syntax for secedit.

    Code:
    secedit /configure /db filename [/cfg filename] [/overwrite][/areas area1 area2...] [/log filename] [/quiet]
    
                /db filename - Specifies the database used to perform the security configuration.
    
                /cfg filename - Specifies a security template to import into the database prior to configuring the computer. Security templates are created using the Security Templates snap-in.
    
                /overwrite - Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database.  If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.
    
                /areas - Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space.  The following security areas are supported:
    
                            SECURITYPOLICY - Includes Account Policies, Audit Policies, Event Log Settings and Security Options.
                            GROUP_MGMT - Includes Restricted Group settings
                            USER_RIGHTS - Includes User Rights Assignment
                            REGKEYS - Includes Registry Permissions
                            FILESTORE - Includes File System permissions
                            SERVICES - Includes System Service settings
    
                /log filename - Specifies a file in which to log the status of the configuration process.  If not specified, configuration processing information is logged in the scesrv.log file which is located in the %windir%\security\logs directory.
    
                /quiet - Specifies that the configuration process should take place without prompting the user for any confirmation.
    
    Example:
    
    secedit /configure /db hisecws.sdb /cfg hisecws.inf /overwrite /log hisecws.log
    
    For all filenames, the current directory is used if no path is specified.
    So adding /areas SECURITYPOLICY is probably safer.

    I did try adding /overwrite but still wouldnt wipe the existing security settings.

    Log output here, I can see it missed a bunch of registry keys where settings are configured, I looked at %windir%\inf\defltbase.inf and it has no defaults configured for most of the settings, so I think that might the issue. Regardless, interesting to learn and tinker with this stuff.

    Code:
    ----Configure Security Policy...
    	Configure password information.
    	Administrator account is disabled.
    	Guest account is disabled.
    
    	System Access configuration was completed successfully.
    	LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17)(A;;0x801;;;AC)(A;;0x801;;;S-1-15-2-2).
    	Configure LSA anonymous lookup setting.
    	Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel.
    	Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand.
    	Configure machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption.
    	Configure machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername.
    	Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption.
    	Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext.
    	Configure machine\software\microsoft\windows\currentversion\policies\system\scforceoption.
    	Configure machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon.
    	Configure machine\software\microsoft\windows\currentversion\policies\system\undockwithoutlogon.
    	Configure machine\software\policies\microsoft\windows\safer\codeidentifiers\authenticodeenabled.
    	Configure machine\system\currentcontrolset\control\lsa\auditbaseobjects.
    	Configure machine\system\currentcontrolset\control\lsa\crashonauditfail.
    	Configure machine\system\currentcontrolset\control\lsa\disabledomaincreds.
    	Configure machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous.
    	Configure machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy\enabled.
    	Configure machine\system\currentcontrolset\control\lsa\forceguest.
    	Configure machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
    	Configure machine\system\currentcontrolset\control\lsa\nolmhash.
    	Configure machine\system\currentcontrolset\control\lsa\restrictanonymous.
    	Configure machine\system\currentcontrolset\control\lsa\restrictanonymoussam.
    	Configure machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers.
    	Configure machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive.
    	Configure machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown.
    	Configure machine\system\currentcontrolset\control\session manager\protectionmode.
    	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect.
    	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff.
    	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
    	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionpipes.
    	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
    	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess.
    	Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword.
    	Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature.
    	Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature.
    	Configure machine\system\currentcontrolset\services\ldap\ldapclientintegrity.
    
    	Configuration of Registry Values was completed successfully.
    	Configure log settings.
    
    	Audit/Log configuration was completed successfully.
    
    
    ----Configure available attachment engines...
    
    	Configuration of attachment engines was completed successfully.
    
    
    ----Un-initialize configuration engine...
    Last edited by Chrysalis; 31 May 2023 at 07:27.
      My Computer


 

Tutorial Categories

Reset Local Security Policy Settings to Default in Windows Tutorial Index Network & Sharing Instalation and Upgrade Browsers and Email General Tips Gaming Customization Apps and Features Virtualization BSOD System Security User Accounts Hardware and Drivers Updates and Activation Backup and Restore Performance and Maintenance Mixed Reality Phone


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:09.
Find Us




Windows 10 Forums