How to Reset Local Security Policy Settings to Default in Windows XP and Vista

Have you ever gotten a computer second-hand? Maybe from a company that was shutting down or from someone who no longer needed theirs? Ideally, you would want to simply reformat the computer and start from scratch, right?

However, that’s not always the case. Let’s say you get a computer that has Windows XP or Windows Vista already installed, but you don’t have the original CD that came with the computer. So you really can’t reformat computer without risking Windows not activating properly.

So what’s the problem with just leaving it the way it is? Well, sometimes when you get a computer, it may have been part of an Active Directory environment, which means it was subject to Group Policies.

Even if you remove the computer from the domain and put it into a workgroup, the local security policies that were changed will not be removed. This can be very annoying because local security policies include settings like preventing users from installing printers, restricting who can use the CD-ROM drive, requiring a smart card, restricted logon hours, password requirements and more!

These are all great in a corporate environment, but will cause all kinds of grief to a normal computer user. So what you can do to solve this problem is to reset the local security settings to their default settings.

The way this can be done is by using the default security configuration templates that come with all versions of Windows XP and Vista. This may sound too technical, but all you have to do is run one command.

First, click on Start, Run and then type in CMD. Now copy and paste the following command into the window:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

If you are running Windows Vista and need to reset the security settings to their default values, use this command instead:

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

reset local security policy

That’s it! Now just wait for Windows to go through all the registry settings and reset them. It takes a few minutes and you’ll have to restart the computer to see the changes.

But now you should be able to use your computer without any of the remnants of local security settings from previous Group Policies. Enjoy!

  1. HallCrash says:

    Good Job! This is a good way to reset the settings when Malware has messed them up. Even with the Malware removed, not all removal tools reset the security settings.

  2. Jwhite2 says:

    Thank you so much. I am currently in IRAQ with the US Army.

    I knew there was a way to do this. The sad part is that it took me over a day to find it.

    Great help!!!

    Thank you

  3. avivm says:

    I really appreciate your help. You saved us a lot of time.

  4. nriacone says:

    I have a machine as you described above that was part of a domain and given to an employee when they left the organization. I ran the command that you listed and still the machine is restricted from internet access. I have run RSoP and receive the red circle with a white x in it. A message will appear that the "Latest versions of the … are not available" What other settings am I missing?

    Thanks,

  5. gcowboy says:

    Got an error…Here's a cut out of my scesrv.log….any info would be great:

    —-Configure Registry Keys…

    Configure users.default.

    Configure users.defaultsoftwaremicrosoft
    etdde.

    Configure machinesoftware.

    Configure machinesoftwareclasses.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesPDFProCMWrap.CPDFProCMWrapCLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesPDFProCMWrap.CPDFProCMWrap.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.ClassNavCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.CPPWizCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.EventListCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.EventRegCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.HelpCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.InstNavCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.LoginCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.MOFCompCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.MOFWizCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.MultiViewCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.NSPickerCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.ObjViewerCtrl.1CLSID.

    Warning 5: Access is denied.

    Error setting security on machinesoftwareclassesWBEM.SingleViewCtrl.1CLSID.

    Configure machinesoftwareclasses.hlp.

    Configure machinesoftwareclasseshelpfile.

    Configure machinesoftwaremicrosoftadsprovidersldapextensions.

    Configure machinesoftwaremicrosoftadsproviders
    ds.

    Configure machinesoftwaremicrosoftadsproviders
    wcompat.

    Configure machinesoftwaremicrosoftadsproviderswinnt.

    Configure machinesoftwaremicrosoftcommand processor.

    Configure machinesoftwaremicrosoftcryptography.

    Configure machinesoftwaremicrosoftcryptographycalais.

    Configure machinesoftwaremicrosoftdriver signing.

    Configure machinesoftwaremicrosoftenterprisecertificates.

    Configure machinesoftwaremicrosoft
    etdde.

    Configure machinesoftwaremicrosoft
    on-driver signing.

    Configure machinesoftwaremicrosoftole.

    Configure machinesoftwaremicrosoft
    pc.

    Configure machinesoftwaremicrosoftsecure.

    Configure machinesoftwaremicrosoftsystemcertificates.

    Configure machinesoftwaremicrosoftupnp device host.

    Configure machinesoftwaremicrosoftwindowscurrentversionexploreruser shell folders.

    Configure machinesoftwaremicrosoftwindowscurrentversion
    eliability.

    Configure machinesoftwaremicrosoftwindowscurrentversion
    unonce.

    Configure machinesoftwaremicrosoftwindowscurrentversion
    unonceex.

    Configure machinesoftwaremicrosoftwindowscurrentversion elephony.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionaccessibility.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionaedebug.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionasrcommands.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionclasses.

    Configure machinesoftwaremicrosoftwindows ntcurrentversiondrivers32.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionefs.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionfont drivers.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionfontmapper.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionimage file execution options.

    Configure machinesoftwaremicrosoftwindows ntcurrentversioninifilemapping.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionperflib.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionprofilelist.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionsecedit.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionsetup
    ecoveryconsole.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionsvchost.

    Configure machinesoftwaremicrosoftwindows ntcurrentversion erminal serverinstallsoftwaremicrosoftwindowscurrentversion
    unonce.

    Configure machinesoftwaremicrosoftwindows ntcurrentversion ime zones.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionwindows.

    Configure machinesoftwaremicrosoftwindows ntcurrentversionwinlogon.

    Configure machinesoftwarepolicies.

    Configure machinesystem.

    Configure machinesystemcurrentcontrolsetcontrolclass.

    Configure machinesystemcurrentcontrolsetcontrolkeyboard layout.

    Configure machinesystemcurrentcontrolsetcontrolkeyboard layouts.

    Configure machinesystemcurrentcontrolsetcontrol
    etwork.

    Configure machinesystemcurrentcontrolsetcontrolsecurepipeserverswinreg.

    Configure machinesystemcurrentcontrolsetcontrolsession managerexecutive.

    Configure machinesystemcurrentcontrolsetcontrol imezoneinformation.

    Configure machinesystemcurrentcontrolsetcontrolwmisecurity.

    Warning 5: Access is denied.

    Error setting security on machinesystemcurrentcontrolsetservicessptdCfg.

    Configure machinesystemcurrentcontrolsetservicesappmgmtsecurity.

    Configure machinesystemcurrentcontrolsetservicesclipsrvsecurity.

    Configure machinesystemcurrentcontrolsetservicescryptsvcsecurity.

    Configure machinesystemcurrentcontrolsetservicesdnscache.

    Configure machinesystemcurrentcontrolsetservicesersvcsecurity.

    Configure machinesystemcurrentcontrolsetserviceseventlogsecurity.

    Configure machinesystemcurrentcontrolsetservicesirenumsecurity.

    Configure machinesystemcurrentcontrolsetservices
    etbt.

    Configure machinesystemcurrentcontrolsetservices
    etddesecurity.

    Configure machinesystemcurrentcontrolsetservices
    etddedsdmsecurity.

    Configure machinesystemcurrentcontrolsetservices
    emoteaccess.

    Configure machinesystemcurrentcontrolsetservices
    pcsssecurity.

    Configure machinesystemcurrentcontrolsetservicessamsssecurity.

    Warning 2: The system cannot find the file specified.

    Error enumerating info for machinesystemcurrentcontrolsetservicesscarddrv.

    Configure machinesystemcurrentcontrolsetservicesscardsvrsecurity.

    Configure machinesystemcurrentcontrolsetservicesstisvcsecurity.

    Configure machinesystemcurrentcontrolsetservicessysmonloglog queries.

    Configure machinesystemcurrentcontrolsetservices apisrvsecurity.

    Configure machinesystemcurrentcontrolsetservices cpip.

    Configure machinesystemcurrentcontrolsetservicesw32timesecurity.

    Configure machinesystemcurrentcontrolsetserviceswmisecurity.

    Configuration of Registry Keys was completed successfully.

    —-Configure File Security…

    Configure c:.

    Warning 32: The process cannot access the file because it is being used by another process.

    Error building security descriptor for c:pagefile.sys.

    File Security configuration was completed with one or more errors.

  6. sharfud says:

    After using this command, my PC is working perfectly. Thanks very much.

  7. Ajay says:

    I am having a ton of security permissions problems and I need to reset everything. I tried to mess around with locking down my C drive, but I should not have done that. How can I get the original settings back?

  8. rspaldi says:

    Great article!
    I had a new infection today that wiped secedit.exe from teh computer, as well as locking down everything.
    The only way to get around it was to boot from the Ultimate Boot CD (www.ubcd4win.com), do a registry restore AFTER changing the security settings on the Config folder, then copying the file to the c drive, and then running the command.

    These scumbags putting out the malware have got to be stopped!

    Thanks again for your help. Between you, UBCD, and Superantispyware, I'm just barely staying ahead of the villians.

  9. Data Master says:

    Didn't work at all!! Very disappointed!! Ive been working on a computer for almost a day now with no luck at all!! Does anyone have any other solutions for people this fix doesn't work for?

  10. rocksmith says:

    Cant get it to work on 7, can u give us a command line for windows seven :( my GPO is all MESSED UP

    thx

  11. Angel says:

    if it didnt work, try to do it from an administrator account.

    what I can suggest is to log on as administrator, then go to the system32 folder, delete the 'hidden' folder named 'GroupPolicy' .. restart the machine (of course not hooked to your domain network).. and then run the command line and see if that makes any difference..

    if the computer has local group policies, then deleting that folder helps to remove those policies.. but the registry still needs to be cleaned I think..

    Cheers :)

  12. Kukulkan says:

    These don't work in Windows 7 x64 at all, have tried it multiple times. Encountering security errors attempting to modify HKLMSoftwareClasses. Have run using administrator account, ran CMD in admin mode, still no luck. If anyone has a clue how to do this, it'd be nice to hear it. It's really surprising there's no simple method for this that works.

  13. skipper robb says:

    Needle in a Haystack. You just burned down the Haystack. Very Good Job. It's one of the 100 most important tools in my workstation chest now.

  14. Chris says:

    Wow – I literally searched for about 2 days trying to solve all my Windows XP problems after a HDD failure – I knew the problem was security, as I saw CHKDISK resetting them all and then afterward saw problems like
    - no taskbar
    - no copy and paste
    - no start button
    - many many other problems.

    All Fixed with one line.

    Thank you for enlightening the world with this. I've copied it into a batch file on our server for posterity.

    I, seriously, can't thank you enough.

    Chris

  15. Graeme Jackson says:

    Absolute life saver. I thought I was going to have to clean this all up policy by policy.

    Thank you.

  16. Jim says:

    GREAT!!! Did exactly as advertised on an XP Pro machine. It got rid of all those annoying group policies.

  17. Jin says:

    the process was done but with errors :(

  18. Bav says:

    Was just messing around with security templates in AD and accidentally configured the computer with some settings I was playing around with. Luckily I found this!!!!

    MS should really put in a warning in their training manuals.

    Thanks

  19. sperveiz says:

    First of All… Thanks so much for the help with this post. I also need to know how can i first take a backup of the existing security policy or export it to a location, just incase i want to put it back i can import it again.

  20. Fox says:

    How can I do this on Windows Server 2008 R2?

  21. XPPro says:

    I was given a corporate computer that a friend received from his old employer so he could make it into a linux box. I found a utility to reset all the passwords on the system to blank but was still hitting policy problems.

    This looks like it’s working. I had to replace “%windir%” with “windows” and start from C:\ (cd \) for this to work, but it did in the end.

  22. Imran Khalid says:

    Very helpful and works for me in Windows 7. I got lot of security issues in one of my Windows 7 image and after setting it to default, it’s working like a charm. Thanks for the help mate.

Leave a Reply