Permission to make symbolic links in Windows 7?

49,655

Solution 1

  1. Open the Local Group Policy Editor : Run>gpedit.msc. If that doesn't work try secpol.msc (Note, Windows Home users might need to enable group-policy-editor first).

  2. Go to (Windows Pro users might don't see the first two items ) :

    Computer configuration → Windows SettingsSecurity Settings → Local Policies → User Rights Assignment and edit the Create symbolic links.

    enter image description here

  3. Add the user or group that you want to allow to create symbolic links.

  4. If you've added your own user account, you need to log out and log in back in for the change to have an effect.

Note: This setting has no effect on user accounts that belong to the Administrators group. Those users will always have to run mklink in an elevated environment (as Administrator) because of the way UAC removes privileges when creating an non-elevated access token. There is a handy Excel reference sheet for finding group policy settings: Group Policy Settings Reference for Windows and Windows Server

Solution 2

Some windows configurations miss gpedit.msc. In this case You can try as an alternative:

  1. running this PowerShell script from here:
    function addSymLinkPermissions($accountToAdd){
        Write-Host "Checking SymLink permissions.."
        $sidstr = $null
        try {
            $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
            $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
            $sidstr = $sid.Value.ToString()
        } catch {
            $sidstr = $null
        }
        Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan
        if( [string]::IsNullOrEmpty($sidstr) ) {
            Write-Host "Account not found!" -ForegroundColor Red
            exit -1
        }
        Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan
        $tmp = [System.IO.Path]::GetTempFileName()
        Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
        secedit.exe /export /cfg "$($tmp)" 
        $c = Get-Content -Path $tmp 
        $currentSetting = ""
        foreach($s in $c) {
            if( $s -like "SECreateSymbolicLinkPrivilege*") {
                $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
                $currentSetting = $x[1].Trim()
            }
        }
        if( $currentSetting -notlike "*$($sidstr)*" ) {
            Write-Host "Need to add permissions to SymLink" -ForegroundColor Yellow

            Write-Host "Modify Setting ""Create SymLink""" -ForegroundColor DarkCyan

            if( [string]::IsNullOrEmpty($currentSetting) ) {
                $currentSetting = "*$($sidstr)"
            } else {
                $currentSetting = "*$($sidstr),$($currentSetting)"
            }
            Write-Host "$currentSetting"
        $outfile = @"
    [Unicode]
    Unicode=yes
    [Version]
    signature="`$CHICAGO`$"
    Revision=1
    [Privilege Rights]
    SECreateSymbolicLinkPrivilege = $($currentSetting)
    "@
        $tmp2 = [System.IO.Path]::GetTempFileName()
            Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
            $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
            Push-Location (Split-Path $tmp2)
            try {
                secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS 
            } finally { 
                Pop-Location
            }
        } else {
            Write-Host "NO ACTIONS REQUIRED! Account already in ""Create SymLink""" -ForegroundColor DarkCyan
            Write-Host "Account $accountToAdd already has permissions to SymLink" -ForegroundColor Green
            return $true;
        }
    }
  1. download polsedit which looks like freeware alternative to gpedit.msc

Then run gpupdate /force to apply changes immediately

Share:
49,655

Related videos on Youtube

KarolDepka
Author by

KarolDepka

Updated on September 17, 2022

Comments

  • KarolDepka
    KarolDepka about 1 year

    How can I grant a particular user the permission to create symlinks in Windows 7?

    I've searched through "Group Policy" and Google, but haven't found anything.

    On a side note, is there a way to search through everything in Group Policy Editor? The filters only seem to work on particular subtrees. I never actually found anything using the filters.

    • Monsignor
      Monsignor over 6 years
      BTW Does anybody know why creating symlinks requires admin permissions? What is so dangerous in them?
    • Joshua
      Joshua about 6 years
      @Monsignor: I saw a long time ago that Microsoft claimed too many programs couldn't handle them safely. Anyway I'm rather annoyed that they require elevation to use.
  • Seldaek
    Seldaek over 13 years
    Here it looked more like the following, just for reference if someone gets confused: Control Panel > Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment > Create symbolic links And by the way you need to logout and login again for the settings to apply.
  • Seldaek
    Seldaek over 13 years
    And you can run secpol.msc to skip the first part, then all you got left is : Local Policies > User Rights Assignment > Create symbolic links
  • ajax992
    ajax992 almost 13 years
    Also: Running "gpupdate /force" from either CMD or just the Run dialog should apply the setting as well.
  • palswim
    palswim over 9 years
    iisreset will do this for IIS permissions.
  • David Käriu III
    David Käriu III over 8 years
    Any way to do the same via registry for Microsoft-hated-non-Windows-8-Pro users? gpedit.msc is not available to them
  • DanO
    DanO over 8 years
    @szx - unfortunately User Rights security settings are not registry keys. If you are into programming, you can change the settings programmatically. However, using the numerous gpedit.msc hacks available to simple get gpedit onto windows home editions will likely be easier. Search for "advapi32 exports" if you want to do it programmatically.
  • SimonH
    SimonH about 8 years
    I don't have the permission to run gpedit.mcs as a normal User. Is there another way I can see what privileges I have (especially if I may create symbolic links)?
  • Trevor Boyd Smith
    Trevor Boyd Smith over 7 years
    re - "Those users will always have to run mklink in an elevated environment (as Administrator)"... so administrators are always having to run with elevated... arg.
  • Kevin Smyth
    Kevin Smyth over 7 years
    For Home users: secedit /import /db secedit.sdb /cfg symlink_everyone.inf
  • Lawrence Dol
    Lawrence Dol almost 7 years
    @KevinSmyth: Where does the SDB file come from?
  • miroxlav
    miroxlav almost 7 years
    Besides giving the source. please add the script in case the source is no longer present.
  • DavidPostill
    DavidPostill almost 7 years
    Windows Starter Edition, Home and Home Premium do not include gpedit.msc. Instructions to install it are in my question & answer Windows Starter Edition, Home and Home Premium do not include gpedit, how do I install it?
  • orgads
    orgads over 6 years
    Replace /import with /configure
  • Asfand Qazi
    Asfand Qazi about 5 years
    For Windows 10 Pro 1803, I ran secpol.msc with Administrator privileges, then navigated to Security Settings -> Local Policies -> User Rights Assignment, and found 'Create symbolic links'
  • kxr
    kxr about 2 years
    "Those users will always have to run mklink in an elevated ..." : Is there a way to algo get rid of that UAC elevation need for symlink creation on Win7?
  • CervEd
    CervEd over 1 year
    this is why I prefer unix