Windows Server 2008 Create Symbolic Link, updated Security Policy still gives privilege error
Solution 1
have not tried this but if if user A has the symbolic link priv, then open up a cmd and do
runas /user:domain\a cmd
then within that windows try the mklink
all users, even admins run with limited permissions on 08+ you need to elevate 1st. Don't really hold out a lot of hope on this working!
Solution 2
There is a bug with this Security Policy setting and the Administrator group. Maybe it is what you are experiencing as well.
If the user(s) you added are member of the Administrator group, then this setting has no effect. Removing them from the Admin group fixes this issue.
Related videos on Youtube
Siqi Lin
Updated on September 17, 2022Comments
-
Siqi Lin over 1 year
Windows Server 2008, RC2. I am trying to create a symbolic/soft link using the mklink command:
mklink /D LinkName TargetDir e.g. c:\temp\>mklink /D foo bar
This works fine if I run the command line as Administrator. However, I need it to work for regular users as well, because ultimately I need another program (executing as a user) to be able to do this.
So, I updated the Local Security Policy via secpol.msc. Under "Local Policies" > "User Rights Management" > "Create symbolic links", I added "Users" to the security setting.
I rebooted the machine. It still didn't work. So I added "Everyone" to the policy. Rebooted. And STILL it didn't work.
What on earth am I doing wrong here? I think my user is even an Administrator on this box, and running plain command line even with this updated policy in place still gives me:
You do not have sufficient privilege to perform this operation.
It's not looking promising for me:http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/cb593ad0-9edc-4cd1-bb67-46c360b45f91
Sounds like others have experienced this problem, and I've yet to find a resolution. Anyone out there been able to programmatically create soft/sybmolic links?
-
JJ_Australia almost 14 yearsHave you tried Junction instead of mklink?
-
Naidim over 13 years@Hello71: MKLINK in Vista onwards replaces JUNCTION from the Win Server 2003 Resource Kit. It has more functionality for the new NTFS abilities (symlinks).
-
JJ_Australia over 13 years@jason404: I was talking about the
junction.exe
from Sysinternals by Mark Russinovich. -
Naidim over 13 years@Hell071: Oh yes, I was mixing it up with LINKD. However, both LINKD and JUNCTION are not as much use as MKLINK on Vista/Win7/2008/2008 R2.
-
Matthew Skelton over 11 yearsLooks like you might need to use
mklink /j
instead of /d for the expected behaviour
-
-
Siqi Lin almost 14 yearsthanks for the tip - I'm actually having problems getting runas to work for me - it keeps giving me "the system cannot find the file specified" errors: c:>runas /user:domain\username "mlink /D name target". Of course, ultimately I need this scriptable, and the password propmpt for said user makes that hard. I think you may be right about not holding out a lot of hope!
-
user33788 almost 14 yearstry to run just the cmd elevated then run mklink within that session
-
Siqi Lin almost 14 yearsah, interesting. That did the trick. Now, if only I could do it without runas since I want to script it!
-
user33788 almost 14 yearshopefully you can use powershell, if so then checkout get-credentials
-
user33788 almost 14 yearswhy does it need to be scripted? I don't see the reasoning behind this.
-
Siqi Lin almost 13 yearsDidn't know you can ctrl-shift-enter to run as admin, nice trick. But as I stated in the question, ultimately the command needs be be executable from a program (scripted), without human intervention, so this won't help in that regard.
-
user364455 over 9 yearsIt is not a bug but intended UAC behavior: The new token is stripped of all the privileges assigned to the user except those listed in Figure 9 (Bypass traverse checking, Shut down the system, Remove computer from docking station, Increase a process working set, Change the time zone) TechNet Magazine
-
Jesko Hüttenhain almost 7 years+1, I had this problem on Windows 2k8R2, and this answer worked for me.