Windows Server 2008 Create Symbolic Link, updated Security Policy still gives privilege error

22,929

Solution 1

have not tried this but if if user A has the symbolic link priv, then open up a cmd and do

runas /user:domain\a cmd

then within that windows try the mklink

all users, even admins run with limited permissions on 08+ you need to elevate 1st. Don't really hold out a lot of hope on this working!

Solution 2

There is a bug with this Security Policy setting and the Administrator group. Maybe it is what you are experiencing as well.

If the user(s) you added are member of the Administrator group, then this setting has no effect. Removing them from the Admin group fixes this issue.

Share:
22,929

Related videos on Youtube

Siqi Lin
Author by

Siqi Lin

Updated on September 17, 2022

Comments

  • Siqi Lin
    Siqi Lin 5 months

    Windows Server 2008, RC2. I am trying to create a symbolic/soft link using the mklink command:

    mklink /D LinkName TargetDir
    e.g. c:\temp\>mklink /D foo bar
    

    This works fine if I run the command line as Administrator. However, I need it to work for regular users as well, because ultimately I need another program (executing as a user) to be able to do this.

    So, I updated the Local Security Policy via secpol.msc. Under "Local Policies" > "User Rights Management" > "Create symbolic links", I added "Users" to the security setting.

    I rebooted the machine. It still didn't work. So I added "Everyone" to the policy. Rebooted. And STILL it didn't work.

    What on earth am I doing wrong here? I think my user is even an Administrator on this box, and running plain command line even with this updated policy in place still gives me:

    You do not have sufficient privilege to perform this operation.
    

    It's not looking promising for me:http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/cb593ad0-9edc-4cd1-bb67-46c360b45f91

    Sounds like others have experienced this problem, and I've yet to find a resolution. Anyone out there been able to programmatically create soft/sybmolic links?

    • JJ_Australia
      JJ_Australia over 12 years
      Have you tried Junction instead of mklink?
    • Naidim
      Naidim over 12 years
      @Hello71: MKLINK in Vista onwards replaces JUNCTION from the Win Server 2003 Resource Kit. It has more functionality for the new NTFS abilities (symlinks).
    • JJ_Australia
      JJ_Australia over 12 years
      @jason404: I was talking about the junction.exe from Sysinternals by Mark Russinovich.
    • Naidim
      Naidim over 12 years
      @Hell071: Oh yes, I was mixing it up with LINKD. However, both LINKD and JUNCTION are not as much use as MKLINK on Vista/Win7/2008/2008 R2.
    • Matthew Skelton
      Matthew Skelton about 10 years
      Looks like you might need to use mklink /j instead of /d for the expected behaviour
  • Siqi Lin
    Siqi Lin over 12 years
    thanks for the tip - I'm actually having problems getting runas to work for me - it keeps giving me "the system cannot find the file specified" errors: c:>runas /user:domain\username "mlink /D name target". Of course, ultimately I need this scriptable, and the password propmpt for said user makes that hard. I think you may be right about not holding out a lot of hope!
  • user33788
    user33788 over 12 years
    try to run just the cmd elevated then run mklink within that session
  • Siqi Lin
    Siqi Lin over 12 years
    ah, interesting. That did the trick. Now, if only I could do it without runas since I want to script it!
  • user33788
    user33788 over 12 years
    hopefully you can use powershell, if so then checkout get-credentials
  • user33788
    user33788 over 12 years
    why does it need to be scripted? I don't see the reasoning behind this.
  • Siqi Lin
    Siqi Lin over 11 years
    Didn't know you can ctrl-shift-enter to run as admin, nice trick. But as I stated in the question, ultimately the command needs be be executable from a program (scripted), without human intervention, so this won't help in that regard.
  • user364455
    user364455 over 8 years
    It is not a bug but intended UAC behavior: The new token is stripped of all the privileges assigned to the user except those listed in Figure 9 (Bypass traverse checking, Shut down the system, Remove computer from docking station, Increase a process working set, Change the time zone) TechNet Magazine
  • Jesko Hüttenhain
    Jesko Hüttenhain almost 6 years
    +1, I had this problem on Windows 2k8R2, and this answer worked for me.