8

Windows Server 2008, RC2. I am trying to create a symbolic/soft link using the mklink command:

mklink /D LinkName TargetDir
e.g. c:\temp\>mklink /D foo bar

This works fine if I run the command line as Administrator. However, I need it to work for regular users as well, because ultimately I need another program (executing as a user) to be able to do this.

So, I updated the Local Security Policy via secpol.msc. Under "Local Policies" > "User Rights Management" > "Create symbolic links", I added "Users" to the security setting.

I rebooted the machine. It still didn't work. So I added "Everyone" to the policy. Rebooted. And STILL it didn't work.

What on earth am I doing wrong here? I think my user is even an Administrator on this box, and running plain command line even with this updated policy in place still gives me:

You do not have sufficient privilege to perform this operation.

It's not looking promising for me:http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/cb593ad0-9edc-4cd1-bb67-46c360b45f91

Sounds like others have experienced this problem, and I've yet to find a resolution. Anyone out there been able to programmatically create soft/sybmolic links?

Improve this question
5
  • 1
    Have you tried Junction instead of mklink?
    – Hello71
    Commented Jun 4, 2010 at 22:07
  • @Hello71: MKLINK in Vista onwards replaces JUNCTION from the Win Server 2003 Resource Kit. It has more functionality for the new NTFS abilities (symlinks).
    – paradroid
    Commented Sep 13, 2010 at 10:27
  • @jason404: I was talking about the junction.exe from Sysinternals by Mark Russinovich.
    – Hello71
    Commented Sep 13, 2010 at 21:43
  • @Hell071: Oh yes, I was mixing it up with LINKD. However, both LINKD and JUNCTION are not as much use as MKLINK on Vista/Win7/2008/2008 R2.
    – paradroid
    Commented Sep 14, 2010 at 5:22
  • Looks like you might need to use mklink /j instead of /d for the expected behaviour
    – Matthew Skelton
    Commented Dec 10, 2012 at 15:20

4 Answers 4

Reset to default
1

have not tried this but if if user A has the symbolic link priv, then open up a cmd and do

runas /user:domain\a cmd

then within that windows try the mklink

all users, even admins run with limited permissions on 08+ you need to elevate 1st. Don't really hold out a lot of hope on this working!

Improve this answer
6
  • thanks for the tip - I'm actually having problems getting runas to work for me - it keeps giving me "the system cannot find the file specified" errors: c:>runas /user:domain\username "mlink /D name target". Of course, ultimately I need this scriptable, and the password propmpt for said user makes that hard. I think you may be right about not holding out a lot of hope!
    – Matt
    Commented Jun 4, 2010 at 21:27
  • try to run just the cmd elevated then run mklink within that session
    – user33788
    Commented Jun 4, 2010 at 21:53
  • ah, interesting. That did the trick. Now, if only I could do it without runas since I want to script it!
    – Matt
    Commented Jun 4, 2010 at 21:59
  • hopefully you can use powershell, if so then checkout get-credentials
    – user33788
    Commented Jun 5, 2010 at 3:07
  • why does it need to be scripted? I don't see the reasoning behind this.
    – user33788
    Commented Jun 5, 2010 at 3:29
1

There is a bug with this Security Policy setting and the Administrator group. Maybe it is what you are experiencing as well.

If the user(s) you added are member of the Administrator group, then this setting has no effect. Removing them from the Admin group fixes this issue.

Improve this answer
2
  • I confirm that this is the case on W 8.1
    – Eugene Pankov
    Commented Oct 30, 2014 at 18:05
  • 1
    It is not a bug but intended UAC behavior: The new token is stripped of all the privileges assigned to the user except those listed in Figure 9 (Bypass traverse checking, Shut down the system, Remove computer from docking station, Increase a process working set, Change the time zone) TechNet Magazine
    – user364455
    Commented Oct 30, 2014 at 19:26
0

I had the same issue on Windows 7, but was able to run the CMD window as an admin and get it to work by following these instructions:

  1. Click the Start Button.
  2. Type cmd in the search box at the bottom.
  3. Press the Ctrl + Shift + Enter keys all at once.

Note: This opens up the command prompt as Administrator. If you don't do this, you'll get a error saying that there are insufficient permissions to create the symbolic link later on.

http://www.inkplant.com/code/how-to-create-a-symbolic-link-in-windows-vista.php

Improve this answer
1
  • Didn't know you can ctrl-shift-enter to run as admin, nice trick. But as I stated in the question, ultimately the command needs be be executable from a program (scripted), without human intervention, so this won't help in that regard.
    – Matt
    Commented May 12, 2011 at 16:20
-1

We are able to create a symlink through a script on Windows 2008 server but had to do one the following:

  • Provide SeCreateSymbolicLinkPrivilege privilege to the user who is running the script
  • Turn off UAC
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .