Windows Server 2008 Create Symbolic Link, updated Security Policy still gives privilege error

security windows-server-2008 symbolic-link
22,929

Solution 1

have not tried this but if if user A has the symbolic link priv, then open up a cmd and do

runas /user:domain\a cmd

then within that windows try the mklink

all users, even admins run with limited permissions on 08+ you need to elevate 1st. Don't really hold out a lot of hope on this working!

Solution 2

There is a bug with this Security Policy setting and the Administrator group. Maybe it is what you are experiencing as well.

If the user(s) you added are member of the Administrator group, then this setting has no effect. Removing them from the Admin group fixes this issue.

Share:
22,929

Related videos on Youtube

Siqi Lin
Author by

Siqi Lin

Updated on September 17, 2022

Comments

  • Siqi Lin
    Siqi Lin over 1 year

    Windows Server 2008, RC2. I am trying to create a symbolic/soft link using the mklink command:

    mklink /D LinkName TargetDir
e.g. c:\temp\>mklink /D foo bar

    This works fine if I run the command line as Administrator. However, I need it to work for regular users as well, because ultimately I need another program (executing as a user) to be able to do this.

    So, I updated the Local Security Policy via secpol.msc. Under "Local Policies" > "User Rights Management" > "Create symbolic links", I added "Users" to the security setting.

    I rebooted the machine. It still didn't work. So I added "Everyone" to the policy. Rebooted. And STILL it didn't work.

    What on earth am I doing wrong here? I think my user is even an Administrator on this box, and running plain command line even with this updated policy in place still gives me:

    You do not have sufficient privilege to perform this operation.

    It's not looking promising for me:http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/cb593ad0-9edc-4cd1-bb67-46c360b45f91

    Sounds like others have experienced this problem, and I've yet to find a resolution. Anyone out there been able to programmatically create soft/sybmolic links?

    • JJ_Australia
      JJ_Australia almost 14 years
      Have you tried Junction instead of mklink?
    • Naidim
      Naidim over 13 years
      @Hello71: MKLINK in Vista onwards replaces JUNCTION from the Win Server 2003 Resource Kit. It has more functionality for the new NTFS abilities (symlinks).
    • JJ_Australia
      JJ_Australia over 13 years
      @jason404: I was talking about the junction.exe from Sysinternals by Mark Russinovich.
    • Naidim
      Naidim over 13 years
      @Hell071: Oh yes, I was mixing it up with LINKD. However, both LINKD and JUNCTION are not as much use as MKLINK on Vista/Win7/2008/2008 R2.
    • Matthew Skelton
      Matthew Skelton over 11 years
      Looks like you might need to use mklink /j instead of /d for the expected behaviour
  • Siqi Lin
    Siqi Lin almost 14 years
    thanks for the tip - I'm actually having problems getting runas to work for me - it keeps giving me "the system cannot find the file specified" errors: c:>runas /user:domain\username "mlink /D name target". Of course, ultimately I need this scriptable, and the password propmpt for said user makes that hard. I think you may be right about not holding out a lot of hope!
  • user33788
    user33788 almost 14 years
    try to run just the cmd elevated then run mklink within that session
  • Siqi Lin
    Siqi Lin almost 14 years
    ah, interesting. That did the trick. Now, if only I could do it without runas since I want to script it!
  • user33788
    user33788 almost 14 years
    hopefully you can use powershell, if so then checkout get-credentials
  • user33788
    user33788 almost 14 years
    why does it need to be scripted? I don't see the reasoning behind this.
  • Siqi Lin
    Siqi Lin almost 13 years
    Didn't know you can ctrl-shift-enter to run as admin, nice trick. But as I stated in the question, ultimately the command needs be be executable from a program (scripted), without human intervention, so this won't help in that regard.
  • user364455
    user364455 over 9 years
    It is not a bug but intended UAC behavior: The new token is stripped of all the privileges assigned to the user except those listed in Figure 9 (Bypass traverse checking, Shut down the system, Remove computer from docking station, Increase a process working set, Change the time zone) TechNet Magazine
  • Jesko Hüttenhain
    Jesko Hüttenhain almost 7 years
    +1, I had this problem on Windows 2k8R2, and this answer worked for me.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

IIS7 give ApplicationPoolIdentity access to a network location
Permission to make symbolic links in Windows 7?
Win Server Security: Why do members of a group not get access when the Group has permission?
Default Domain Policy Overriding Custom GPO even though Custom GPO is Enforced
How to disable SSL/TLS compression in Apache 2.2.16?
connecting ipads to a windows domain
LDAP throws Event ID 2887 warnings even after enabling "require signing"
Account lockouts not in Event Viewer
Installing Terminal Server (Remote Desktop Services) on a Domain Controller (Active Directory)
How to set group policy in windows server 2008 domain?