Permission to make symbolic links in Windows 7?
Solution 1
-
Open the Local Group Policy Editor :
Run
>gpedit.msc
. If that doesn't work trysecpol.msc
(Note, Windows Home users might need to enable group-policy-editor first). -
Go to (Windows Pro users might don't see the first two items ) :
Computer configuration → Windows Settings
→Security Settings → Local Policies → User Rights Assignment
and edit theCreate symbolic links
. -
Add the user or group that you want to allow to create symbolic links.
-
If you've added your own user account, you need to log out and log in back in for the change to have an effect.
Note: This setting has no effect on user accounts that belong to the Administrators group. Those users will always have to run mklink
in an elevated environment (as Administrator) because of the way UAC removes privileges when creating an non-elevated access token. There is a handy Excel reference sheet for finding group policy settings: Group Policy Settings Reference for Windows and Windows Server
Solution 2
Some windows configurations miss gpedit.msc
. In this case You can try as an alternative:
- running this PowerShell script from here:
function addSymLinkPermissions($accountToAdd){
Write-Host "Checking SymLink permissions.."
$sidstr = $null
try {
$ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
$sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
$sidstr = $sid.Value.ToString()
} catch {
$sidstr = $null
}
Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan
if( [string]::IsNullOrEmpty($sidstr) ) {
Write-Host "Account not found!" -ForegroundColor Red
exit -1
}
Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan
$tmp = [System.IO.Path]::GetTempFileName()
Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
secedit.exe /export /cfg "$($tmp)"
$c = Get-Content -Path $tmp
$currentSetting = ""
foreach($s in $c) {
if( $s -like "SECreateSymbolicLinkPrivilege*") {
$x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
$currentSetting = $x[1].Trim()
}
}
if( $currentSetting -notlike "*$($sidstr)*" ) {
Write-Host "Need to add permissions to SymLink" -ForegroundColor Yellow
Write-Host "Modify Setting ""Create SymLink""" -ForegroundColor DarkCyan
if( [string]::IsNullOrEmpty($currentSetting) ) {
$currentSetting = "*$($sidstr)"
} else {
$currentSetting = "*$($sidstr),$($currentSetting)"
}
Write-Host "$currentSetting"
$outfile = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO`$"
Revision=1
[Privilege Rights]
SECreateSymbolicLinkPrivilege = $($currentSetting)
"@
$tmp2 = [System.IO.Path]::GetTempFileName()
Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
$outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
Push-Location (Split-Path $tmp2)
try {
secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS
} finally {
Pop-Location
}
} else {
Write-Host "NO ACTIONS REQUIRED! Account already in ""Create SymLink""" -ForegroundColor DarkCyan
Write-Host "Account $accountToAdd already has permissions to SymLink" -ForegroundColor Green
return $true;
}
}
- download polsedit which looks like freeware alternative to gpedit.msc
Then run gpupdate /force
to apply changes immediately
Related videos on Youtube
KarolDepka
Updated on September 17, 2022Comments
-
KarolDepka about 1 year
How can I grant a particular user the permission to create symlinks in Windows 7?
I've searched through "Group Policy" and Google, but haven't found anything.
On a side note, is there a way to search through everything in Group Policy Editor? The filters only seem to work on particular subtrees. I never actually found anything using the filters.
-
Monsignor over 6 yearsBTW Does anybody know why creating symlinks requires admin permissions? What is so dangerous in them?
-
Joshua about 6 years@Monsignor: I saw a long time ago that Microsoft claimed too many programs couldn't handle them safely. Anyway I'm rather annoyed that they require elevation to use.
-
-
Seldaek over 13 yearsHere it looked more like the following, just for reference if someone gets confused: Control Panel > Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment > Create symbolic links And by the way you need to logout and login again for the settings to apply.
-
Seldaek over 13 yearsAnd you can run secpol.msc to skip the first part, then all you got left is : Local Policies > User Rights Assignment > Create symbolic links
-
ajax992 almost 13 yearsAlso: Running "gpupdate /force" from either CMD or just the Run dialog should apply the setting as well.
-
palswim over 9 years
iisreset
will do this for IIS permissions. -
David Käriu III over 8 yearsAny way to do the same via registry for Microsoft-hated-non-Windows-8-Pro users? gpedit.msc is not available to them
-
DanO over 8 years@szx - unfortunately User Rights security settings are not registry keys. If you are into programming, you can change the settings programmatically. However, using the numerous gpedit.msc hacks available to simple get gpedit onto windows home editions will likely be easier. Search for "advapi32 exports" if you want to do it programmatically.
-
SimonH about 8 yearsI don't have the permission to run
gpedit.mcs
as a normal User. Is there another way I can see what privileges I have (especially if I may create symbolic links)? -
Trevor Boyd Smith over 7 yearsre - "Those users will always have to run mklink in an elevated environment (as Administrator)"... so administrators are always having to run with elevated... arg.
-
Kevin Smyth over 7 yearsFor Home users: secedit /import /db secedit.sdb /cfg symlink_everyone.inf
-
Lawrence Dol almost 7 years@KevinSmyth: Where does the SDB file come from?
-
miroxlav almost 7 yearsBesides giving the source. please add the script in case the source is no longer present.
-
DavidPostill almost 7 yearsWindows Starter Edition, Home and Home Premium do not include gpedit.msc. Instructions to install it are in my question & answer Windows Starter Edition, Home and Home Premium do not include gpedit, how do I install it?
-
orgads over 6 yearsReplace /import with /configure
-
Asfand Qazi about 5 yearsFor Windows 10 Pro 1803, I ran secpol.msc with Administrator privileges, then navigated to Security Settings -> Local Policies -> User Rights Assignment, and found 'Create symbolic links'
-
kxr about 2 years"Those users will always have to run mklink in an elevated ..." : Is there a way to algo get rid of that UAC elevation need for symlink creation on Win7?
-
CervEd over 1 yearthis is why I prefer unix