29

I'd like to enable my standard user account (i.e. not elevated) to be able to call CreateSymbolicLink.

However, on Win8, even adding "Everyone" to the SeCreateSymbolicLinkPrivilege ("Create Symbolic Links" in secpol.msc) under local group policy still results in STATUS_PRIVILEGE_NOT_HELD. Why?

Cœur
  • 37,241
  • 25
  • 195
  • 267
Ana Betts
  • 73,868
  • 16
  • 141
  • 209
  • 1
    Silly question, are you running `cmd` as Administrator? – Peter Ritchie Mar 10 '13 at 09:56
  • 3
    This setting works for me, when the user in question is a standard user (in Users, not Administrators), but when the user is in Administrators, creating Symlinks is subject to UAC. – Christian Klauser Mar 10 '13 at 12:53
  • 2
    @PeterRitchie I'm explicitly trying to configure my local security policy so creating Symlinks doesn't require elevation – Ana Betts Mar 10 '13 at 19:37
  • @ChristianKlauser Are you saying that UAC is hard-coded to trump what's in the local GP? – Ana Betts Mar 10 '13 at 19:38
  • Apparently if the user is in the administrator's group they have to Run as Administrator to use MKLINK. If you remove the user from Administrators apparently all the above works. See also http://superuser.com/questions/124679/how-do-i-create-a-link-in-windows-7-home-premium-as-a-regular-user – Peter Ritchie Mar 10 '13 at 22:20
  • Isn't this a mishap by Microsoft ? – v.oddou Oct 30 '18 at 02:05

1 Answers1

25

It is indeed UAC, as Christian suspected.

MSDN: Windows Vista Application Development Requirements for User Account Control Compatibility:

What privileges the filtered token contain are based on whether the original token contained any of the restricted RIDS listed above (ed: AKA if you're a non-elevated Admin). If any of the restricted RIDs were in the token, all of the privileges are removed except:

  • SeChangeNotifyPrivilege
  • SeShutdownPrivilege
  • SeUndockPrivilege
  • SeReserveProcessorPrivilege
  • SeTimeZonePrivilege
Palec
  • 12,743
  • 8
  • 69
  • 138
Ana Betts
  • 73,868
  • 16
  • 141
  • 209
  • 3
    Ah yes that makes sense. Is this configurable or did Microsoft hard-code this set of retained privileges? Having `SeCreateSymbolicLinkPrivilege` on that list would be nice. – Christian Klauser Mar 12 '13 at 13:05
  • 1
    I can verify that once UAC is disabled, I'm able to create symlinks, even from my main account that has admin rights. Wooohoo! – Vladimir Sizikov Aug 14 '13 at 21:44
  • 4
    FYI, you can double-check your own privileges in use with `whoami /priv`. – sschuberth Mar 28 '14 at 08:10
  • I have a bizzare situation. I believe one of the Insider Preview's changed the Token behavior. i have a VM with non-insider preview Windows 10 and I cannot create symlinks without using Run as Admin. I've turned off UAC, put uses in the Group Policy and still doesn't work. On another machine I have what I believe is the same setup but it has the latest Insider Preview build. And it allows me to create symlinks WITHOUT Run As Admin. Ideas? – Andrew T Finnell Oct 02 '16 at 19:54