Tried this, it reset the account lockout settings, but everything under local policies/security options remains configured, I did reboot.
Here is syntax for secedit.
Code:
secedit /configure /db filename [/cfg filename] [/overwrite][/areas area1 area2...] [/log filename] [/quiet]
/db filename - Specifies the database used to perform the security configuration.
/cfg filename - Specifies a security template to import into the database prior to configuring the computer. Security templates are created using the Security Templates snap-in.
/overwrite - Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.
/areas - Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:
SECURITYPOLICY - Includes Account Policies, Audit Policies, Event Log Settings and Security Options.
GROUP_MGMT - Includes Restricted Group settings
USER_RIGHTS - Includes User Rights Assignment
REGKEYS - Includes Registry Permissions
FILESTORE - Includes File System permissions
SERVICES - Includes System Service settings
/log filename - Specifies a file in which to log the status of the configuration process. If not specified, configuration processing information is logged in the scesrv.log file which is located in the %windir%\security\logs directory.
/quiet - Specifies that the configuration process should take place without prompting the user for any confirmation.
Example:
secedit /configure /db hisecws.sdb /cfg hisecws.inf /overwrite /log hisecws.log
For all filenames, the current directory is used if no path is specified.
So adding /areas SECURITYPOLICY is probably safer.
I did try adding /overwrite but still wouldnt wipe the existing security settings.
Log output here, I can see it missed a bunch of registry keys where settings are configured, I looked at %windir%\inf\defltbase.inf and it has no defaults configured for most of the settings, so I think that might the issue. Regardless, interesting to learn and tinker with this stuff.
Code:
----Configure Security Policy...
Configure password information.
Administrator account is disabled.
Guest account is disabled.
System Access configuration was completed successfully.
LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17)(A;;0x801;;;AC)(A;;0x801;;;S-1-15-2-2).
Configure LSA anonymous lookup setting.
Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel.
Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand.
Configure machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption.
Configure machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername.
Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption.
Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext.
Configure machine\software\microsoft\windows\currentversion\policies\system\scforceoption.
Configure machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon.
Configure machine\software\microsoft\windows\currentversion\policies\system\undockwithoutlogon.
Configure machine\software\policies\microsoft\windows\safer\codeidentifiers\authenticodeenabled.
Configure machine\system\currentcontrolset\control\lsa\auditbaseobjects.
Configure machine\system\currentcontrolset\control\lsa\crashonauditfail.
Configure machine\system\currentcontrolset\control\lsa\disabledomaincreds.
Configure machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous.
Configure machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy\enabled.
Configure machine\system\currentcontrolset\control\lsa\forceguest.
Configure machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
Configure machine\system\currentcontrolset\control\lsa\nolmhash.
Configure machine\system\currentcontrolset\control\lsa\restrictanonymous.
Configure machine\system\currentcontrolset\control\lsa\restrictanonymoussam.
Configure machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers.
Configure machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive.
Configure machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown.
Configure machine\system\currentcontrolset\control\session manager\protectionmode.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionpipes.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess.
Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword.
Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature.
Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature.
Configure machine\system\currentcontrolset\services\ldap\ldapclientintegrity.
Configuration of Registry Values was completed successfully.
Configure log settings.
Audit/Log configuration was completed successfully.
----Configure available attachment engines...
Configuration of attachment engines was completed successfully.
----Un-initialize configuration engine...