Security templates are INF files that contain security settings. These settings can include certain local policies but can also include things like file auditing settings, file permissions, IPSec configurations, registry permissions, and so forth—pretty much any security-related settings, in fact.

You can use a number of different tools to apply a security template to a computer. For example, Windows 2000 and higher includes Secedit.exe, a command-line tool that can be used to (among other things) apply a security template to a computer, effectively copying the settings in the template into the computer’s active configuration. Group Policy can also be used to deploy security templates.

Security templates work a bit like Group Policy, in that you can apply multiple templates to a computer. As with Group Policy, the last template applied to a computer “wins.” It’s as if several different individuals walked up to a computer, one at a time, and made configuration changes. If the first person set up very restrictive file permissions on a folder, but the second person walked up and configured much more lenient permissions, the effective permissions would be whatever the second person configured. If neither person configured a specific setting, that setting remains unchanged—the default setting for the operating system.

Security templates and Group Policy may seem like two different ways to accomplish the same tasks. They aren’t. Security templates configure ...