Unable to grant SeCreateSymbolicLinkPrivilege RRS feed

  • Question

  • WS2008 R2 SP1 domain, servers and clients.

    I'm attempting to give a Security Group the "Create Symbolic Link" user right via Group Policy. Local Security Policy MMC shows the Policy is being applied, but when I log on as a member of the Group that was granted this right and issue this command--

    MKLINK /D <LinkPath> <TargetPath>

    --I get "Access is denied", and when I issue this command--


    --I get this:

    Privilege Name                Description                    State
    ============================= ============================== ========
    SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
    SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
    SeCreateSymbolicLinkPrivilege Create symbolic links          Disabled

    The user account is NOT a member of Administrators. However, I can successfully create the symlink issuing the same command on the same computer from an elevated command prompt with an Administrator account, so I believe it comes down to the SeCreateSymbolicLinkPrivelege being "Disabled" in WHOAMI despite the GUI's assurances to the contrary.

    <LinkPath> and <TargetPath> are both remote folders; R2R is enabled, as evidenced by the admin account's ability to create the symlink.

    The computer has been restarted after the user rights Group Policy was applied.

    I have also tried adding the test account itself to the GPO and restarting the computer; no change.

    User account has Full Control in <LinkPath> and Modify in <TargetPath>.

    How can I REALLY enable SeCreateSymbolicLinkPrivelege?


    Saturday, October 13, 2012 6:19 AM


  • Hi,

    Please check if the group policy is actually applied to the target server and the specific user.

    In my test, after applying the group policy, I could create the symbolic link successfully with a standard user account.

    From the screenshot, the privilege of SetCreateSymbolicLinkPrivilege is Disabled but I could still create it with a standard users.

    I tried to disable the group policy and get the message "do not have sufficient privilege to perform this operation".

    In addition, please also check if it is caused by UAC. You could test to disable it (User Access Control) to see the result.

    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

    Monday, October 15, 2012 3:42 AM