Block Symlink and Junction creation for a Directory

windows

Solution 1:

Create symbolic links is a user privilege, not a file system permission. As such it cannot be controlled for a particular windows directory as you wish. It can only be permitted or denied at a user/group level. By default it is enabled only for the local Administrators group.[1]

You would want to use the Local Security Authority (LSA) functions to work with SeCreateSymbolicLinkPrivilege privilege.

Microsoft Privileges

A system administrator can use administrative tools, such as User Manager, to add or remove privileges for user and group accounts. Administrators can programmatically use the Local Security Authority (LSA) functions to work with privileges. The LsaAddAccountRights and LsaRemoveAccountRights functions add or remove privileges from an account. The LsaEnumerateAccountRights function enumerates the privileges held by a specified account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a specified privilege.

Privilege Constants

Constant/value Description
SE_CREATE_SYMBOLIC_LINK_NAME Required to create a symbolic link.
TEXT("SeCreateSymbolicLinkPrivilege") User Right: Create symbolic links.

Related

PowerShell: How to get local users and local groups, but exclude disabled accounts
Does using CloudFront just to enable https make sense?
Where is the definitive home for amavisd-new-2.12?
Change AD Display name from Lastname, Firstname to Firstname Lastname
How to restrict users from uploading files from Azure Virtual Desktop(AVD) to personal or public sites?
Provide WSUS access to Internet when using Squid proxy [closed]
Find out why a Kubernetes cluster was restarted on Google Cloud
Restore AWS glacier data created with synology hyper backup
Puppet Enterprise vs. Open Source
How can I get a static download link for a Microsoft MSDN Subscriber Download?
Automated method to convert .reg registry file to reg.exe commands
ICMP/Ping works even after adding iptables drop rule