I had created some custom registry settings for my sceregvl.inf file,
but I've re-registered the original sceregvl.inf file now (this is on
Windows 2000).

The problem is that the secedit.sdb file still contains the values for
those custom registry settings, so those registry values are being set
every time my computer reboots, and I don't want that to happen.

How can I re-create the secedit.sdb file so that it doesn't contain
those custom registry settings anymore?

Can I export my local security policy to a .inf file, edit it to
remove the custom settings, delete the secedit.sdb file, and then
import the .inf file to create a new secedit.sdb file? Will that
work?

Does the secedit.sdb file contain anything that doesn't get saved when
I export my local security policy?

http://support.microsoft.com/kb/214752
(look at the very end of the KB)


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I had created some custom registry settings for my sceregvl.inf file,
> but I've re-registered the original sceregvl.inf file now (this is on
> Windows 2000).
>
> The problem is that the secedit.sdb file still contains the values for
> those custom registry settings, so those registry values are being set
> every time my computer reboots, and I don't want that to happen.
>
> How can I re-create the secedit.sdb file so that it doesn't contain
> those custom registry settings anymore?
>
> Can I export my local security policy to a .inf file, edit it to
> remove the custom settings, delete the secedit.sdb file, and then
> import the .inf file to create a new secedit.sdb file? Will that
> work?
>
> Does the secedit.sdb file contain anything that doesn't get saved when
> I export my local security policy?
>

On Mar 21, 8:44 am, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
> http://support.microsoft.com/kb/214752
> (look at the very end of the KB)

Hi Roger,

Yes I did see that article. But after I renamed the secedit.sdb to
secedit.old, the "secedit /refreshpolicy machine_policy /enforce"
command didn't do anything. It did not create a new secedit.sdb file.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mar 21, 8:44 am, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
>> http://support.microsoft.com/kb/214752
>> (look at the very end of the KB)
>
> Yes I did see that article. But after I renamed the secedit.sdb to
> secedit.old, the "secedit /refreshpolicy machine_policy /enforce"
> command didn't do anything. It did not create a new secedit.sdb file.
>

Hmmm - strange.
As a curiosity, is Help and Support service running?

Anyway, perhaps results will be different with procedure in
http://support.microsoft.com/kb/278316
Note however I would advise not using Setup Security.inf,
perhaps a copy from which I have removed the registry and
the filesystem sections. Contrary to popular belief (and some
older KB articles, setup security.inf does not reset the box
to the settings at setup, just something like them, and is not
always a safe operation, particularly relative to post install
changes to the system, installed features/option and/or apps).

On Mar 21, 9:32 am, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
> <void.no.spam....@gmail.com> wrote in message
>
> news:(E-Mail Removed)...
>
> > On Mar 21, 8:44 am, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
> >>http://support.microsoft.com/kb/214752
> >> (look at the very end of the KB)
>
> > Yes I did see that article. But after I renamed the secedit.sdb to
> > secedit.old, the "secedit /refreshpolicy machine_policy /enforce"
> > command didn't do anything. It did not create a new secedit.sdb file.
>
> Hmmm - strange.
> As a curiosity, is Help and Support service running?

I am not in front of my Win2k computer right now, but I am pretty sure
that there is no service named "Help and Support" under Windows 2000.
I have disabled other services that I thought were unnecessary
though. Could the secedit command depend on any other services?


> Anyway, perhaps results will be different with procedure inhttp://support.microsoft.com/kb/278316
> Note however I would advise not using Setup Security.inf,
> perhaps a copy from which I have removed the registry and
> the filesystem sections. Contrary to popular belief (and some
> older KB articles, setup security.inf does not reset the box
> to the settings at setup, just something like them, and is not
> always a safe operation, particularly relative to post install
> changes to the system, installed features/option and/or apps).

Yes I had seen that article too, but was hoping for another solution
because my registry and filesystem settings may be different now after
applying SP4 and a bunch of other updates. But maybe I will try your
idea of removing the registry and filesystem sections from it.

But couldn't I just export a template from the Local Security Policy,
edit it to remove the custom settings, and then re-import the template
into the Local Security Policy (without using the Security
Configuration and Analysis at all)? Would that re-create the
secedit.sdb file?

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mar 21, 9:32 am, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
>> <void.no.spam....@gmail.com> wrote in message
>>
>> news:(E-Mail Removed)...
>>
>> > On Mar 21, 8:44 am, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
>> >>http://support.microsoft.com/kb/214752
>> >> (look at the very end of the KB)
>>
>> > Yes I did see that article. But after I renamed the secedit.sdb to
>> > secedit.old, the "secedit /refreshpolicy machine_policy /enforce"
>> > command didn't do anything. It did not create a new secedit.sdb file.
>>
>> Hmmm - strange.
>> As a curiosity, is Help and Support service running?
>
> I am not in front of my Win2k computer right now, but I am pretty sure
> that there is no service named "Help and Support" under Windows 2000.
> I have disabled other services that I thought were unnecessary
> though. Could the secedit command depend on any other services?
>

Sorry - forgot your mention of W2k - was thinking XP

>
>> Anyway, perhaps results will be different with procedure
>> inhttp://support.microsoft.com/kb/278316
>> Note however I would advise not using Setup Security.inf,
>> perhaps a copy from which I have removed the registry and
>> the filesystem sections. Contrary to popular belief (and some
>> older KB articles, setup security.inf does not reset the box
>> to the settings at setup, just something like them, and is not
>> always a safe operation, particularly relative to post install
>> changes to the system, installed features/option and/or apps).
>
> Yes I had seen that article too, but was hoping for another solution
> because my registry and filesystem settings may be different now after
> applying SP4 and a bunch of other updates. But maybe I will try your
> idea of removing the registry and filesystem sections from it.
>
> But couldn't I just export a template from the Local Security Policy,
> edit it to remove the custom settings, and then re-import the template
> into the Local Security Policy (without using the Security
> Configuration and Analysis at all)? Would that re-create the
> secedit.sdb file?
>

Not sure you could export with the corruption.

So does the secedit.sdb file only contain the Local Security Policy
settings? Or does it also contain Group Policy settings and/or other
things? Because if it contains things besides the Local Security
Policy settings, then when I re-create the file using the Setup
Security.inf template, those other things will be lost.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> So does the secedit.sdb file only contain the Local Security Policy
> settings? Or does it also contain Group Policy settings and/or other
> things? Because if it contains things besides the Local Security
> Policy settings, then when I re-create the file using the Setup
> Security.inf template, those other things will be lost.
>
Any settings due to the domain environment gets pulled down,
but much of that is stored in the .pol files

On Mar 22, 10:28 pm, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
> <void.no.spam....@gmail.com> wrote in message
>
> news:(E-Mail Removed)...> So does the secedit.sdb file only contain the Local Security Policy
> > settings? Or does it also contain Group Policy settings and/or other
> > things? Because if it contains things besides the Local Security
> > Policy settings, then when I re-create the file using the Setup
> > Security.inf template, those other things will be lost.
>
> Any settings due to the domain environment gets pulled down,
> but much of that is stored in the .pol files

I've got a standalone workstation, but you are right, the group policy
settings are stored in the registry.pol files.

Thanks for your help, Roger.

On Mar 23, 5:17 pm, "void.no.spam....@gmail.com"
<void.no.spam....@gmail.com> wrote:
> I've got a standalone workstation, but you are right, the group policy
> settings are stored in the registry.pol files.

Just a correction for my own sake: the registry.pol files store the
administrative template settings, and everything else in the group
policy editor (excluding the security settings) are saved under c:
\winnt\system32\GroupPolicy.