GPEdit vs SecPol

Many users have questions regarding the difference between Local Group Policy Editor (gpedit.msc) and the Local Security Policy (secpol.msc) but there is not nothing mysterious about these two tools.

Both are used for administering system and security policies on your computer. The difference between the two is most visible on the scope of policies which those tools can edit.

To start explaining the difference, we can say that the secpol.msc is a subcategory of gpedit.msc.


  • Gpedit.msc is a file name for the Group Policy Editor console, mostly a graphical user interface for editing registry entries. This is not very easy because they are located at many places throughout computer registry but this tool makes the administration of registry easier.
  • Secpol.msc is another Windows module that is also used for administration of system settings. The Local Security Policy is a smaller brother to the Group Policy Editor, used to administer a subgroup of what you can administer using the gpedit.msc.

While group policies apply to your computer and users in your domain universally and are often set by your domain administrator from a central location, local security policies, as the name suggests, are relevant to your particular local machine only.

You can see that when opening the Group Policy Editor (gpedit.msc), you get to see more than when opening the Local Security Policy Editor (secpol.msc), and that is the major difference.

  • The gpedit.msc is broader.
  • The secpol.msc is narrower and focuses more on security related registry entries.

Previous post: Windows 10 Hardening (Part II)

Next post: Windows 2012 Hardening (Part I)