3

I would like to setup select users on our domain to have the ability to create symbolic links on local NTFS drives and network shares without needing to run as Administrator, as part of an application with will call the CreateSymbolicLink() API directly. The default configuration for our users is to be Administrator of their computer and I think I am fighting UAC to make the privileges work the way that I want because of that. I found this link on MSDN which describes the interaction between the SeCreateSymbolicLinkPrivilege, UAC and a domain but really does not have a solution. Here's the three options I've come up with:

  1. Create a new group, give the SeCreateSymbolicLinkPrivilege to the group and assign users to the group
  2. Give each individual user (2 now, more later) the privilege
  3. Give the privilege to the default User group which opens it up to all Users
  4. Change config so Users are not Admins by default (probably would work but not likely)

Based on my testing, only 3 works for me and that is the least desirable but I've only got a local server to test with, not a domain. I need to recommend to the admin how to set this up and also have something that we can easily explain to other users of our application that are on their own domain or not on a domain. The other option seems to be to create a Service that runs with a SYSTEM account that creates the links for the application but I'd rather not go that route.

fp0n
  • 31
  • 1
  • 2
  • I take it you logged out after changing the privileges and you also forced a refresh of the AD meta-data or waited 5-7 minutes? – 0xC0000022L Jun 10 '12 at 01:18
  • Can you describe why you need to bypass the NTFS permissions without admin rights? – Jim B Jun 10 '12 at 14:56
  • When a user runs as Admin on their local box, they cannot access network resources as the logged in domain user (mapped drives are marked as "Unavailable") so creating Symbolic or Hard links on network shares is restricted. I am trying to understand how UAC affects the privileges and what I have seen is that unless you give the privileges to the base User group, then UAC strips them out. – fp0n Jun 11 '12 at 13:30
  • The only way I was able to make this work, given our scenario where each user is an Administrator of there own computer, was to add the SeCreateSymbolicLink privilege to the base User group so that UAC did not remove it from the privileges the user had. We ended up only supporting Hard Links for what we needed so this was not implemented across our domain. – fp0n Jun 28 '12 at 21:37
  • 1
    @fp0n You should post that as an answer and mark it accepted. Glad you found a solution. Self-answered questions are welcome here. It can help others when searching. – jscott Jun 29 '12 at 00:20

0 Answers0