Unable to grant SeCreateSymbolicLinkPrivilege

• Question

• 

  

  0

  Sign in to vote

  WS2008 R2 SP1 domain, servers and clients.

  I'm attempting to give a Security Group the "Create Symbolic Link" user right via Group Policy. Local Security Policy MMC shows the Policy is being applied, but when I log on as a member of the Group that was granted this right and issue this command--

  MKLINK /D <LinkPath> <TargetPath>

  --I get "Access is denied", and when I issue this command--

  WHOAMI /PRIV

  --I get this:

  Privilege Name                Description                    State
  ============================= ============================== ========
  SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
  SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
  SeCreateSymbolicLinkPrivilege Create symbolic links          Disabled

  The user account is NOT a member of Administrators. However, I can successfully create the symlink issuing the same command on the same computer from an elevated command prompt with an Administrator account, so I believe it comes down to the SeCreateSymbolicLinkPrivelege being "Disabled" in WHOAMI despite the GUI's assurances to the contrary.

  <LinkPath> and <TargetPath> are both remote folders; R2R is enabled, as evidenced by the admin account's ability to create the symlink.

  The computer has been restarted after the user rights Group Policy was applied.

  I have also tried adding the test account itself to the GPO and restarting the computer; no change.

  User account has Full Control in <LinkPath> and Modify in <TargetPath>.

  How can I REALLY enable SeCreateSymbolicLinkPrivelege?

  TIA

  Saturday, October 13, 2012 6:19 AM