I still had an issue running the sc.exe
commands with PowerShell as a startup script via Group Policy. It was being denied access per Start-Transcript
log file. I used the below PowerShell logic for example and it did not work for me in my case.
I tried several variations of multiple things and syntaxes using PowerShell.exe
, -verb RunAs
, Start-Process
and slews of things short of running it as a local script with Task Scheduler as SYSTEM
which I was trying to avoid.
Note: This is just a general example of one of the variations that failed with the same result and transcript output as all other
variations tried.
$privs = (sc.exe qprivs gpsvc).Split(":")[5..99] | % { Process { If( $_.Trim().Length -gt 0 ){ $_.Trim() } } };
$privs = $privs + "SeCreateSymbolicLinkPrivilege";
$privs = $privs -Join "/";
Invoke-Expression "sc.exe privs gpsvc $privs"
A solution that works (in my case)
I used the below PowerShell logic as a startup script via Group Policy and now creating symbolic links works. To keep the example simple, I used Google Chrome for generalization.
Basically I had to manipulate the multistring registry value of the correlated permissions for the service rather than using sc.exe
appending the needed "SeCreateSymbolicLinkPrivilege"
value that way.
#Start-Transcript -Path C:\Log\Transcript.txt
$v = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\gpsvc").RequiredPrivileges;
If ( $v -notcontains "SeCreateSymbolicLinkPrivilege" ) {
$v = $v + "SeCreateSymbolicLinkPrivilege";
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\gpsvc" RequiredPrivileges $v -Type MultiString;
};
$Chrome86 = "C:\Program Files (x86)\Google\Chrome";
$Chrome = "C:\Program Files\Google\Chrome";
If(!(Test-Path $Chrome86)){
If(Test-Path $Chrome){New-Item -Path $Chrome86 -ItemType SymbolicLink -Value $Chrome -Force}
}
If(!(Test-Path $Chrome)){
If(Test-Path $Chrome86){New-Item -Path $Chrome -ItemType SymbolicLink -Value $Chrome86 -Force}
}
psexec
(since you know that works).