Cannot allow myself create symbolic links RRS feed

  • General discussion

  • In the Local Security Policy there is an element
    Local Policies -> User Rights Assignment -> Create Symbolic Links
    which is supposed to list the users allowed to create symbolic links. By default only the Administrators group is present there. When I add to this list a user with restricted permissions all works fine, this user indeed gets the ability to create links (I'm checking via the mklink utility). However, for users from the Administrators group this does not work at all: when I try to create a link, I get "You do not have sufficient privilege to perform this operation" message. mklink works only from a console started with elevated privileges, while restricted users added to the list can create links without any elevation. I even tried to add the specific user from the Administrators group to the list in addition to this group, but of course it did not change anything. What should I do to allow myself create symlinks directly, without elevation?

    My OS is Vista Business SP1 32-bit (russian), UAC is turned on.
    The computer is not in domain, so there is no group policy that could override local settings.
    Tuesday, March 10, 2009 10:49 PM

All replies


    Hi CaptainFlint_vk, thanks for your feedback on this issue. I have checked this with the same result. I suggest you visit the following link and send feedback to us:




    Thank you for your time and effort!

    Sean Zhu - MSFT
    Thursday, March 12, 2009 7:42 AM
  • OK, I did so.
    Friday, March 13, 2009 8:40 PM
  • I have the same issue in Windows 7. Are you going to fix it?
    Tuesday, November 3, 2009 1:36 PM
  • Does anyone know if this has been fixed on either Windows 7 or Windows Vista yet?
    Monday, January 11, 2010 4:06 PM
  • This is still broken as of today (and my Windows 7 system is fully patched) -- any plans to fix this MS?
    Wednesday, November 17, 2010 3:32 PM
  • Just in case I forget again and stumble on this thread, the cmd needs to be run as administrator.
    Monday, July 4, 2011 8:20 PM
  • The normal operating systems

    1. Allow the links from early 60-ties
    2. Allow file creation and linking to every user (file creation and privilege adjustment is dangerous - you must disable it by default)
    3. Do not "protect" their users from useful functionality. 

    You cannot work easily with the first thing the OS must provide - the files. It is just a flashy sandbox.


    Windows protects us very well - adding the privilege to users and everyone makes no sense. I still cannot create links without admin console.

    Wednesday, August 17, 2011 9:11 AM
  • After further searching, it turns out that this is caused by UAC (and is apparently by design): http://social.msdn.microsoft.com/Forums/en/os_fileservices/thread/e967ab01-3136-4fda-9677-e5ecaaa2f694

    So I suppose you could also try disabling UAC, but that isn't very appealing from a security perspective! I couldn't find any way to configure the set of privileges that are filtered out by the UAC mechanism.

    Tuesday, September 13, 2011 6:47 PM