Permission to make symbolic links in Windows 7?

62

15

How can I grant a particular user the permission to create symlinks in Windows 7?

I've searched through "Group Policy" and Google, but haven't found anything.

On a side note, is there a way to search through everything in Group Policy Editor? The filters only seem to work on particular subtrees. I never actually found anything using the filters.

KarolDepka

Posted 2010-02-04T19:28:19.483

Reputation: 805

2BTW Does anybody know why creating symlinks requires admin permissions? What is so dangerous in them? – Monsignor – 2017-07-13T18:58:29.097

1@Monsignor: I saw a long time ago that Microsoft claimed too many programs couldn't handle them safely. Anyway I'm rather annoyed that they require elevation to use. – Joshua – 2017-08-24T16:25:18.787

Answers

67

  1. Open the Local Group Policy Editor : Run>gpedit.msc. If that doesn't work try secpol.msc (Note, Windows Home users might need to enable group-policy-editor first).

  2. Go to (Windows Pro users might don't see the first two items ) :

    Computer configuration → Windows SettingsSecurity Settings → Local Policies → User Rights Assignment and edit the Create symbolic links.

    enter image description here

  3. Add the user or group that you want to allow to create symbolic links.

  4. If you've added your own user account, you need to log out and log in back in for the change to have an effect.

Note: This setting has no effect on user accounts that belong to the Administrators group. Those users will always have to run mklink in an elevated environment (as Administrator) because of the way UAC removes privileges when creating an non-elevated access token. There is a handy Excel reference sheet for finding group policy settings: Group Policy Settings Reference for Windows and Windows Server

DanO

Posted 2010-02-04T19:28:19.483

Reputation: 2 494

1Any way to do the same via registry for Microsoft-hated-non-Windows-8-Pro users? gpedit.msc is not available to them – szx – 2015-06-05T18:39:16.150

@szx - unfortunately User Rights security settings are not registry keys. If you are into programming, you can change the settings programmatically. However, using the numerous gpedit.msc hacks available to simple get gpedit onto windows home editions will likely be easier. Search for "advapi32 exports" if you want to do it programmatically. – DanO – 2015-06-07T23:19:50.903

I don't have the permission to run gpedit.mcs as a normal User. Is there another way I can see what privileges I have (especially if I may create symbolic links)? – LPrc – 2015-11-06T10:38:03.847

13Here it looked more like the following, just for reference if someone gets confused: Control Panel > Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment > Create symbolic links

And by the way you need to logout and login again for the settings to apply. – Seldaek – 2010-05-17T19:23:16.857

5And you can run secpol.msc to skip the first part, then all you got left is : Local Policies > User Rights Assignment > Create symbolic links – Seldaek – 2010-05-17T20:11:58.760

4re - "Those users will always have to run mklink in an elevated environment (as Administrator)"... so administrators are always having to run with elevated... arg. – Trevor Boyd Smith – 2016-02-14T15:06:12.617

1

For Home users: secedit /import /db secedit.sdb /cfg symlink_everyone.inf

– Kevin Smyth – 2016-03-22T20:46:10.073

@KevinSmyth: Where does the SDB file come from? – Lawrence Dol – 2016-12-12T23:00:05.060

Replace /import with /configure – orgads – 2017-04-20T16:05:52.977

For Windows 10 Pro 1803, I ran secpol.msc with Administrator privileges, then navigated to Security Settings -> Local Policies -> User Rights Assignment, and found 'Create symbolic links' – Asfand Qazi – 2018-10-12T11:39:44.927

5Also: Running "gpupdate /force" from either CMD or just the Run dialog should apply the setting as well. – Tobias Plutat – 2011-01-21T08:21:29.783

iisreset will do this for IIS permissions. – palswim – 2014-02-11T19:25:49.723

0

Some windows configurations miss gpedit.msc. In this case You can try as an alternative:

  1. running this PowerShell script from here:
    function addSymLinkPermissions($accountToAdd){
        Write-Host "Checking SymLink permissions.."
        $sidstr = $null
        try {
            $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
            $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
            $sidstr = $sid.Value.ToString()
        } catch {
            $sidstr = $null
        }
        Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan
        if( [string]::IsNullOrEmpty($sidstr) ) {
            Write-Host "Account not found!" -ForegroundColor Red
            exit -1
        }
        Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan
        $tmp = [System.IO.Path]::GetTempFileName()
        Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
        secedit.exe /export /cfg "$($tmp)" 
        $c = Get-Content -Path $tmp 
        $currentSetting = ""
        foreach($s in $c) {
            if( $s -like "SECreateSymbolicLinkPrivilege*") {
                $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
                $currentSetting = $x[1].Trim()
            }
        }
        if( $currentSetting -notlike "*$($sidstr)*" ) {
            Write-Host "Need to add permissions to SymLink" -ForegroundColor Yellow

            Write-Host "Modify Setting ""Create SymLink""" -ForegroundColor DarkCyan

            if( [string]::IsNullOrEmpty($currentSetting) ) {
                $currentSetting = "*$($sidstr)"
            } else {
                $currentSetting = "*$($sidstr),$($currentSetting)"
            }
            Write-Host "$currentSetting"
        $outfile = @"
    [Unicode]
    Unicode=yes
    [Version]
    signature="`$CHICAGO`$"
    Revision=1
    [Privilege Rights]
    SECreateSymbolicLinkPrivilege = $($currentSetting)
    "@
        $tmp2 = [System.IO.Path]::GetTempFileName()
            Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
            $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
            Push-Location (Split-Path $tmp2)
            try {
                secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS 
            } finally { 
                Pop-Location
            }
        } else {
            Write-Host "NO ACTIONS REQUIRED! Account already in ""Create SymLink""" -ForegroundColor DarkCyan
            Write-Host "Account $accountToAdd already has permissions to SymLink" -ForegroundColor Green
            return $true;
        }
    }
  1. download polsedit which looks like freeware alternative to gpedit.msc

Then run gpupdate /force to apply changes immediately

Nikita Malyavin

Posted 2010-02-04T19:28:19.483

Reputation: 121

1Besides giving the source. please add the script in case the source is no longer present. – miroxlav – 2017-02-09T15:50:33.137

Windows Starter Edition, Home and Home Premium do not include gpedit.msc. Instructions to install it are in my question & answer Windows Starter Edition, Home and Home Premium do not include gpedit, how do I install it?

– DavidPostill – 2017-02-10T15:46:54.667

Asked: 2010-02-04T19:28:19.483

Viewed: 42 966 times

Active: 2018-11-02T10:51:30.273