We have a server configured with exactly the security settings we want. However, we didn't configure the settings from within a security template. Is there any way to capture all the settings so that they're documented and can be repeated for other servers or to rebuild this server if necessary?

The Secedit command's /export function has an option called /mergedpolicy that should give you just what you need. Without the /mergedpolicy option, the /export function exports a security database to a security template .inf file. But when you specify /mergedpolicy, Secedit uses the computer's effective settings as the data for the security template it builds. For each policy, Secedit exports the effective setting, whether it comes from the computer's local Group Policy Object (GPO) or from a GPO in Active Directory (AD). Policies undefined in both the local GPO and AD GPOs are set to Windows' default settings, which are typically documented in Windows' Help facility.

For example, if you enter the command

secedit /export /mergedpolicy
 /cfg c:\baseline.inf

you'll get a security template named baseline.inf with all the computer's current defined settings. These include system services, registry and file permissions, and other policies that don't show up in the computer's local GPO but are available for configuration in security templates and in AD GPOs.

The /generaterollback function is similar to /mergedpolicy. When you use the /generaterollback function with Secedit, the utility compares the policies defined in your new template with the computer's current effective settings and creates a "rollback" security template. The only difference I've found between /mergedpolicy and /generaterollback is that /generaterollback doesn't support file and registry permissions. Therefore, I recommend sticking with /mergedpolicy.