Why is SeCreateSymbolicLinkPrivilege ignored on Windows 8?

About

Asked 10/3, 2013 at 8:55 Answered 11/3, 2013 at 3:0

I'd like to enable my standard user account (i.e. not elevated) to be able to call CreateSymbolicLink.

However, on Win8, even adding "Everyone" to the SeCreateSymbolicLinkPrivilege ("Create Symbolic Links" in secpol.msc) under local group policy still results in STATUS_PRIVILEGE_NOT_HELD. Why?

Scalar answered 10/3, 2013 at 8:55 Comment(6)

Silly question, are you running cmd as Administrator? – Spongy 10/3, 2013 at 9:56

This setting works for me, when the user in question is a standard user (in Users, not Administrators), but when the user is in Administrators, creating Symlinks is subject to UAC. – Volans 10/3, 2013 at 12:53

@PeterRitchie I'm explicitly trying to configure my local security policy so creating Symlinks doesn't require elevation – Scalar 10/3, 2013 at 19:37

@ChristianKlauser Are you saying that UAC is hard-coded to trump what's in the local GP? – Scalar 10/3, 2013 at 19:38

Apparently if the user is in the administrator's group they have to Run as Administrator to use MKLINK. If you remove the user from Administrators apparently all the above works. See also superuser.com/questions/124679/… – Spongy 10/3, 2013 at 22:20

Isn't this a mishap by Microsoft ? – Cracker 30/10, 2018 at 2:5

It is indeed UAC, as Christian suspected.

MSDN: Windows Vista Application Development Requirements for User Account Control Compatibility:

What privileges the filtered token contain are based on whether the original token contained any of the restricted RIDS listed above (ed: AKA if you're a non-elevated Admin). If any of the restricted RIDs were in the token, all of the privileges are removed except:

SeChangeNotifyPrivilege

SeShutdownPrivilege

SeUndockPrivilege

SeReserveProcessorPrivilege

SeTimeZonePrivilege

Scalar answered 11/3, 2013 at 3:0 Comment(4)

Ah yes that makes sense. Is this configurable or did Microsoft hard-code this set of retained privileges? Having SeCreateSymbolicLinkPrivilege on that list would be nice. – Volans 12/3, 2013 at 13:5

I can verify that once UAC is disabled, I'm able to create symlinks, even from my main account that has admin rights. Wooohoo! – Impearl 14/8, 2013 at 21:44

FYI, you can double-check your own privileges in use with whoami /priv. – Worden 28/3, 2014 at 8:10

I have a bizzare situation. I believe one of the Insider Preview's changed the Token behavior. i have a VM with non-insider preview Windows 10 and I cannot create symlinks without using Run as Admin. I've turned off UAC, put uses in the Group Policy and still doesn't work. On another machine I have what I believe is the same setup but it has the latest Insider Preview build. And it allows me to create symlinks WITHOUT Run As Admin. Ideas? – Weaponeer 2/10, 2016 at 19:54

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags