mklink permission on windows 8

Question

I need to create symbolic links via mklink as an user, not as an administrator. I have set via secpol.msc and Security Settings → Local Policies → User Rights Assignment rule Create Symbolic links to user, that is currently logged in. After that I have restarted my laptop and tried to create symlink.

I still get the error: You do not have sufficient privilege to perform this operation.

The strange thing is that when I create junction (mklink /d /j ...) it works fine. For other mklink operations does not.

So the question is simple, how can I need to set permissions in windows 8 to get mklink work properly under user, not administrator?

Thank you for help.

[This link](http://superuser.com/questions/124679/how-do-i-create-a-link-in-windows-7-home-premium-as-a-regular-user) may be useful. — Joachim Isaksson, May 09 '13 at 16:00
OMG, quite strange solution, but it solved my problem. Thank you very much. For others quick summary: the user, that runs mklink can not be administrator at the same time. Create non admin user and use runas to perform mklink without need of administrator. — Jan Prokes, May 09 '13 at 17:00
pretty strange, my question is: what is the vulnerability that this restriction mitigates? — user1708042, Nov 14 '22 at 09:18

score 1 · Answer 1 · answered Jan 30 '16 at 22:54

1

You can create symbolic links in non-elevated command prompt ONLY if you have enabled SeCreateSymbolicLink policy for user AND user doesn't belong to Administrators group

answered Jan 30 '16 at 22:54

maoizm

682
13
17

ZZ9 · Answer 2 · 2016-01-25T12:24:21.077

0

User Account Control requires elevation for commands that can link accross SMB boundaries.

Junction does not require elevation as it cannot link accross.

The only way around this that springs to mind is disabling UAC or to RunAs an admin. I do not recommend this.

edited Jan 25 '16 at 12:24

answered Jul 24 '14 at 08:18

ZZ9

2,177
2
27
38

You're right. And nobody in century XXI should disable UAC to workaround something... it's really a bad idea. – Vinicius Xavier Jan 23 '16 at 17:46
I hasten to add I do not recommend ever disabling UAC unless you have masochistic tendancies – ZZ9 Jan 25 '16 at 12:22

Arca · Answer 3 · 2019-06-01T21:09:56.863

0

I found this way works:

Find 'Command Prompt'.
Right click on it.
On the menu that comes up, click 'Run as Administrator'.

Now type in the command.

The command is mklink /d "{the link where you want the symlink to be}\{the name of the symlink}" "{link to the actual folder}"

edited Jun 01 '19 at 21:09

answered May 31 '19 at 13:27

Arca

11
1

mklink permission on windows 8

3 Answers3