組策略是建立Windows安全環境的重要手段，尤其是在Windows域環境下。一個出色的系統管理員，應該能熟練地掌握並應用組策略。在視窗介面下訪問組策略用gpedit.msc，命令列下用secedit.exe。
先看secedit命令語法：
secedit /analyze
secedit /configure
secedit /export 
secedit /validate
。。。。直接輸入secedit /?顯示幫助檔案
=========================================================
 
組策略的電腦保安策略 
可以使用secedit，具體幫助參考secedit   /? 

其它內容，一般都存在與登錄檔，只要修改登錄檔就可以了，具體內容參考   *.adm檔案（windows\inf或\windows\system32\GroupPolicy\Adm下） 
登錄檔可以使用   regedit   -s   yourreg.reg   來匯入自己定義的值 
------------------------------------------------------------------------------------------------------
 
 
secedit /export /cfg gp.inf /log 1.log
匯出檔案內容示例：
=====================gp.inf================================
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 6
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 6
ResetLockoutCount = 30
LockoutDuration = 30
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
NewAdministratorName = "Administrator"
NewGuestName = "Guest"
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableAdminAccount = 1
EnableGuestAccount = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 1
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 1
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,"0"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,"0"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,"0"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0"
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,2
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,Posix
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,COMNAP,COMNODE,SQL\QUERY,SPOOLSS,NETLOGON,LSARPC,SAMR,BROWSER
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares=7,COMCFG,DFS$
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
[Privilege Rights]
SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551
SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551
SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-547
SeCreatePagefilePrivilege = *S-1-5-32-544
SeDebugPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-544
SeAuditPrivilege = *S-1-5-19,*S-1-5-20
SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
SeLoadDriverPrivilege = *S-1-5-32-544
SeBatchLogonRight = *S-1-5-19,SUPPORT_388945a0
SeServiceLogonRight = *S-1-5-20
SeInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551
SeSecurityPrivilege = *S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeProfileSingleProcessPrivilege = *S-1-5-32-544,*S-1-5-32-547
SeSystemProfilePrivilege = *S-1-5-32-544
SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20
SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551
SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-551
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeDenyNetworkLogonRight = SUPPORT_388945a0
SeDenyInteractiveLogonRight = SUPPORT_388945a0
SeUndockPrivilege = *S-1-5-32-544,*S-1-5-32-547
SeManageVolumePrivilege = *S-1-5-32-544
SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555
SeImpersonatePrivilege = *S-1-5-32-544,*S-1-5-6
SeCreateGlobalPrivilege = *S-1-5-32-544,*S-1-5-6

組策略匯入匯出secedit
匯出 “我需要批量改系統的一個組策略。
 下面是我的操作過程。
 secedit /export /db C:\WINDOWS\security\Database\secedit.sdb /cfg C:\WINDOWS\security\templates\test.inf /areas SECURITYPOLICY
手工修改 test.inf
secedit /configure /db C:\WINDOWS\security\Database\secedit.sdb /cfg C:\WINDOWS\security\templates\test.inf /areas SECURITYPOLICY /overwrite

假設我要將密碼長度最小值設定為6，並啟用“密碼必須符合複雜性要求”，那麼先寫這麼一個模板： [version] signature="$CHICAGO$" [System Access] MinimumPasswordLength = 6 PasswordComplexity = 1 儲存為gp.inf，然後匯入： secedit /configure /db gp.sdb /cfg gp.inf /quiet 這個命令執行完成後，將在當前目錄產生一個gp.sdb，它是“中間產品”，你可以刪除它。 /quiet引數表示“安靜模式”，不產生日誌。但根據我的試驗，在2000sp4下該引數似乎不起作用，XP下正常。日誌總是儲存在%windir%\security\logs\scesrv.log。你也可以自己指定日誌以便隨後刪除它。比如： secedit /configure /db gp.sdb /cfg gp.inf /log gp.log del gp.* 另外，在匯入模板前，還可以先分析語法是否正確： secedit /validate gp.inf 那麼，如何知道具體的語法呢？當然到MSDN裡找啦。也有偷懶的辦法，因為系統自帶了一些安全模板，在%windir%\security\templates目錄下。開啟這些模板，基本上包含了常用的安全設定語法，一看就懂。 再舉個例子——關閉所有的“稽核策略”。（它所稽核的事件將記錄在事件檢視器的“安全性”裡）。 echo版： echo [version] >1.inf echo signature="$CHICAGO$" >>1.inf echo [Event Audit] >>1.inf echo AuditSystemEvents=0 >>1.inf echo AuditObjectAccess=0 >>1.inf echo AuditPrivilegeUse=0 >>1.inf echo AuditPolicyChange=0 >>1.inf echo AuditAccountManage=0 >>1.inf echo AuditProcessTracking=0 >>1.inf echo AuditDSAccess=0 >>1.inf echo AuditAccountLogon=0 >>1.inf echo AuditLogonEvents=0 >>1.inf secedit /configure /db 1.sdb /cfg 1.inf /log 1.log /quiet del 1.* 也許有人會說：組策略不是儲存在登錄檔中嗎，為什麼不直接修改登錄檔？因為不是所有的組策略都儲存在登錄檔中。比如“稽核策略”就不是。你可以用 regsnap比較修改該策略前後登錄檔的變化。我測試的結果是什麼都沒有改變。只有“管理模板”這一部分是完全基於登錄檔的。而且，知道了具體位置，用哪個方法都不復雜。 比如，XP和2003的“本地策略”－》“安全選項”增加了一個“本地帳戶的共享和安全模式”策略。XP下預設的設定是“僅來賓”。這就是為什麼用管理員帳號連線XP的ipc$仍然只有Guest許可權的原因。可以通過匯入reg檔案修改它為“經典”： echo Windows Registry Editor Version 5.00 >1.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] >>1.reg echo "forceguest"=dword:00000000 >>1.reg regedit /s 1.reg del 1.reg 而相應的用inf，應該是： echo [version] >1.inf echo signature="$CHICAGO$" >>1.inf echo [Registry Values] >>1.inf echo MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 >>1.inf secedit /configure /db 1.sdb /cfg 1.inf /log 1.log del 1.* 關於命令列下讀取組策略的問題。 系統預設的安全資料庫位於%windir%\security\database\secedit.sdb，將它匯出至inf檔案： secedit /export /cfg gp.inf /log 1.log 沒有用/db引數指定資料庫就是採用預設的。然後檢視gp.inf。 不過，這樣得到的只是組策略的一部分（即“Windows設定”）。而且，某個策略如果未配置，是不會被匯出的。比如“重命名系統管理員帳戶”，只有被定義了才會在inf檔案中出現NewAdministratorName="xxx"。對於無法匯出的其他的組策略只有通過訪問登錄檔來獲得了。 此辦法在XP和2003下無效——可以匯出但內容基本是空的。原因不明。根據官方的資料，XP和2003顯示組策略用RSoP（組策略結果集）。相應的命令列工具是gpresult。但是，它獲得的是在系統啟動時被附加（來自域）的組策略，單機測試結果還是“空”。所以，如果想知道某些組策略是否被設定，只有先寫一個inf，再用secedit /analyze，然後檢視日誌了

secedit /export /cfg d:\setup.inf

匯入 

secedit /configure /db temp.sdb /cfg d:\setup.inf

 ADM檔案

%windir%\Inf 

模板

 %SYSTEMROOT%\security\templates