In the Local Security Policy there is an element
Local Policies -> User Rights Assignment -> Create Symbolic Links
which is supposed to list the users allowed to create symbolic links. By default only the Administrators group is present there. When I add to this list a user with restricted permissions all works fine, this user indeed gets the ability to create links (I'm checking via the mklink utility). However, for users from the Administrators group this does not work at all: when I try to create a link, I get "You do not have sufficient privilege to perform this operation" message. mklink works only from a console started with elevated privileges, while restricted users added to the list can create links without any elevation. I even tried to add the specific user from the Administrators group to the list in addition to this group, but of course it did not change anything. What should I do to allow myself create symlinks directly, without elevation?
My OS is Vista Business SP1 32-bit (russian), UAC is turned on.
The computer is not in domain, so there is no group policy that could override local settings.
- Changed type Sean Zhu -Moderator Thursday, March 12, 2009 7:42 AM
Hi CaptainFlint_vk, thanks for your feedback on this issue. I have checked this with the same result. I suggest you visit the following link and send feedback to us:
Thank you for your time and effort!
Sean Zhu - MSFT
The normal operating systems
- Allow the links from early 60-ties
- Allow file creation and linking to every user (file creation and privilege adjustment is dangerous - you must disable it by default)
- Do not "protect" their users from useful functionality.
You cannot work easily with the first thing the OS must provide - the files. It is just a flashy sandbox.
Windows protects us very well - adding the privilege to users and everyone makes no sense. I still cannot create links without admin console.
After further searching, it turns out that this is caused by UAC (and is apparently by design): http://social.msdn.microsoft.com/Forums/en/os_fileservices/thread/e967ab01-3136-4fda-9677-e5ecaaa2f694
So I suppose you could also try disabling UAC, but that isn't very appealing from a security perspective! I couldn't find any way to configure the set of privileges that are filtered out by the UAC mechanism.