How to Export Local Security Policy Settings in Batch Script

Local Security Policies, which include account lockout thresholds, password complexity requirements, and user rights assignments, are the core of Windows system hardening. For IT administrators, being able to "Export" these settings into a portable file is essential for auditing a system's health, creating backups before making major changes, or preparing a template to be "Cloned" onto other workstations. While Windows provides the secpol.msc GUI, a Batch script using the secedit utility is much more efficient for automated workflows.

This guide explains how to extract your security configuration as a text-based template.

Why Export Local Security Policies?

Audit Compliance: Creating a record of the machine's security state for insurance or security auditors.
Disaster Recovery: Backing up your carefully configured local policies so they can be restored if the security database becomes corrupted.
Environment Blueprinting: Extracting the "Gold Standard" security settings from one server to apply them to a fleet of machines.

The Secedit Utility

secedit.exe is the official command-line tool for managing the Windows Security Configuration Database (local.sdb). It is built into every version of Windows.

Method 1: Exporting All Security Policies (INF Format)

The most comprehensive way to export policies is into a .inf template file. This file can be read in Notepad or re-imported later.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

set "EXPORT_FILE=%~dp0Security_Settings_%COMPUTERNAME%_%date:~-4%%date:~-10,2%%date:~-7,2%.inf"

echo [PROCESS] Exporting Local Security Policies...

:: /export = Extract data
:: /cfg = Target filename
:: /areas SECURITYPOLICY = Focuses on the core security settings

secedit /export /cfg "%EXPORT_FILE%" /areas SECURITYPOLICY >nul

if %errorlevel% equ 0 (
    echo [SUCCESS] Policies exported to:
    echo          %EXPORT_FILE%
) else (
    echo [ERROR] Export failed. Code: %errorlevel%
)
pause

Method 2: Exporting User Rights and Privileges

If you only care about who has rights like "Log on as a service" or "Shut down the system," you can target the USER_RIGHTS area.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

set "EXPORT_FILE=%~dp0User_Rights_%COMPUTERNAME%_%date:~-4%%date:~-10,2%%date:~-7,2%.inf"

echo [PROCESS] Exporting User Rights Assignments...

secedit /export /cfg "%EXPORT_FILE%" /areas USER_RIGHTS >nul

if %errorlevel% equ 0 (
    echo [SUCCESS] User rights exported to:
    echo          %EXPORT_FILE%
) else (
    echo [ERROR] Export failed. Code: %errorlevel%
)
pause

Creating a Security Inspection Routine

A professional script exports the data and then uses findstr to verify specific high-priority settings (like the lockout count).

@echo off
setlocal

echo ============================================================
echo   Security Configuration Extraction Tool
echo ============================================================

:: 1. Verify Admin Rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [CRITICAL] Administrator privileges are REQUIRED for secedit.
    pause
    exit /b 1
)

:: 2. Perform Export
set "TMP_INF=%TEMP%\audit_temp_%RANDOM%.inf"
echo [PROCESS] Extracting data to temporary file...
secedit /export /cfg "%TMP_INF%" /areas SECURITYPOLICY >nul

if %errorlevel% neq 0 (
    echo [ERROR] Export failed. Code: %errorlevel%
    pause
    exit /b 1
)

:: 3. Report specific critical values
echo.
echo [RESULTS] Key Security Settings:
echo   -------------------------------------------

:: Account Lockout
for /f "tokens=1,2 delims==" %%a in ('findstr /i "LockoutBadCount" "%TMP_INF%" 2^>nul') do (
    echo   Account Lockout Threshold: %%b attempts
)

:: Password Length
for /f "tokens=1,2 delims==" %%a in ('findstr /i "MinimumPasswordLength" "%TMP_INF%" 2^>nul') do (
    echo   Minimum Password Length:   %%b characters
)

:: Password Complexity
for /f "tokens=1,2 delims==" %%a in ('findstr /i "PasswordComplexity" "%TMP_INF%" 2^>nul') do (
    if "%%b"==" 1" (echo   Password Complexity:       Enabled) else (echo   Password Complexity:       Disabled)
)

echo   -------------------------------------------

:: 4. Archive the export
set "ARCHIVE_DIR=%~dp0SecurityAudits"
if not exist "%ARCHIVE_DIR%" mkdir "%ARCHIVE_DIR%"
set "ARCHIVE_FILE=%ARCHIVE_DIR%\SecurityAudit_%COMPUTERNAME%_%date:~-4%%date:~-10,2%%date:~-7,2%.inf"

copy "%TMP_INF%" "%ARCHIVE_FILE%" >nul 2>&1
if %errorlevel% equ 0 (
    echo.
    echo [SAVED] Archived to: %ARCHIVE_FILE%
) else (
    echo.
    echo [WARN] Could not archive. Temporary file: %TMP_INF%
)

del "%TMP_INF%" >nul 2>&1

echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

The local security database is one of the most protected files in Windows. You must run your Batch script (and CMD) as an Administrator to use the /export flag.

Encoding Sensitivity

The exported .inf file is usually saved in UTF-16 LE (Unicode) encoding.

Wrong Way:

:: Trying to parse the .inf file with a basic text tool that only likes ASCII

Correct Way: Most modern Batch commands (like findstr or type) handle the encoding fine, but if you are using a third-party tool to read the export, ensure it is set to handle "Unicode" or "UTF-16."

SEO and UX Tip

Advise your users that the exported file is NOT a registry file. It is a Security Template. To apply it to another machine, they must use the secedit /configure command rather than double-clicking it.

Best Practices for Policy Archiving

Use Unique Filenames: Include the %COMPUTERNAME% and %DATE% in your filename to keep your audit logs organized.
Secure the Export: The .inf file contains sensitive data about your security posture. Ensure it is stored in a folder with restricted access.
Audit the SID: When exporting user rights, you might see "S-1-5-..." strings (SIDs) rather than usernames. This is normal behavior if the account belongs to a Domain or has been deleted.

Domain GPOs

Note that exporting the "Local" security policy will NOT show you the settings being enforced by the Domain. To see those, use the gpresult /h report.html command instead.

Conclusion

Exporting local security policy settings via Batch script is a fundamental requirement for maintaining a professional and secure Windows infrastructure. By utilizing the power of secedit to create portable security templates, you can simplify compliance audits, maintain consistent backups, and ensure that your workstations are always configured to your organization's highest standards. This automated approach to security management reduces risk and provides a clear, documented path for your system hardening and disaster recovery strategies across the entire Windows ecosystem.

Why Export Local Security Policies?​

Method 1: Exporting All Security Policies (INF Format)​

Method 2: Exporting User Rights and Privileges​

Creating a Security Inspection Routine​

Common Pitfalls and How to Avoid Them​

Administrative Rights​

Encoding Sensitivity​

Best Practices for Policy Archiving​

Conclusion​

Table of Contents