Permission to make symbolic links in Windows 7?
How can I grant a particular user the permission to create symlinks in Windows 7?
I've searched through "Group Policy" and Google, but haven't found anything.
On a side note, is there a way to search through everything in Group Policy Editor? The filters only seem to work on particular subtrees. I never actually found anything using the filters.
-
Open the Local Group Policy Editor :
Run>gpedit.msc. If that doesn't work trysecpol.msc(Note, Windows Home users might need to enable group-policy-editor first). -
Go to (Windows Pro users might don't see the first two items ) :
Computer configuration → Windows Settings→Security Settings → Local Policies → User Rights Assignmentand edit theCreate symbolic links.
-
Add the user or group that you want to allow to create symbolic links.
-
If you've added your own user account, you need to log out and log in back in for the change to have an effect.
Note: This setting has no effect on user accounts that belong to the Administrators group. Those users will always have to run mklink in an elevated environment (as Administrator) because of the way UAC removes privileges when creating an non-elevated access token. There is a handy Excel reference sheet for finding group policy settings: Group Policy Settings Reference for Windows and Windows Server
Some windows configurations miss gpedit.msc. In this case You can try as an alternative:
- running this PowerShell script from here:
function addSymLinkPermissions($accountToAdd){
Write-Host "Checking SymLink permissions.."
$sidstr = $null
try {
$ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
$sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
$sidstr = $sid.Value.ToString()
} catch {
$sidstr = $null
}
Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan
if( [string]::IsNullOrEmpty($sidstr) ) {
Write-Host "Account not found!" -ForegroundColor Red
exit -1
}
Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan
$tmp = [System.IO.Path]::GetTempFileName()
Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
secedit.exe /export /cfg "$($tmp)"
$c = Get-Content -Path $tmp
$currentSetting = ""
foreach($s in $c) {
if( $s -like "SECreateSymbolicLinkPrivilege*") {
$x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
$currentSetting = $x[1].Trim()
}
}
if( $currentSetting -notlike "*$($sidstr)*" ) {
Write-Host "Need to add permissions to SymLink" -ForegroundColor Yellow
Write-Host "Modify Setting ""Create SymLink""" -ForegroundColor DarkCyan
if( [string]::IsNullOrEmpty($currentSetting) ) {
$currentSetting = "*$($sidstr)"
} else {
$currentSetting = "*$($sidstr),$($currentSetting)"
}
Write-Host "$currentSetting"
$outfile = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO`$"
Revision=1
[Privilege Rights]
SECreateSymbolicLinkPrivilege = $($currentSetting)
"@
$tmp2 = [System.IO.Path]::GetTempFileName()
Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
$outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
Push-Location (Split-Path $tmp2)
try {
secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS
} finally {
Pop-Location
}
} else {
Write-Host "NO ACTIONS REQUIRED! Account already in ""Create SymLink""" -ForegroundColor DarkCyan
Write-Host "Account $accountToAdd already has permissions to SymLink" -ForegroundColor Green
return $true;
}
}
- download polsedit which looks like freeware alternative to gpedit.msc
Then run gpupdate /force to apply changes immediately