user rights assignment create symbolic links

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Create symbolic links

• 13 contributors

Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting.

This user right determines if users can create a symbolic link from the device they're logged on to.

A symbolic link is a file system object that points to another file system object that is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links.

This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.

Constant: SeCreateSymbolicLinkPrivilege

Possible values

• User-defined list of accounts
• Not Defined

Best practices

• Only trusted users should get this user right. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Default values

By default, members of the Administrators group have this right.

The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.

Policy management

This section describes different features and tools available to help you manage this policy.

A restart of the device isn't required for this policy setting to be effective.

Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Group Policy

Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

• Local policy settings
• Site policy settings
• Domain policy settings
• OU policy settings

When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Command-line tools

This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type fsutil behavior set symlinkevaluation /? at the command prompt.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

Users who have the Create symbolic links user right could inadvertently or maliciously expose your system to symbolic link attacks. Symbolic link attacks can be used to change the permissions on a file, to corrupt data, to destroy data, or as a DoS attack.

Countermeasure

Don't assign the Create symbolic links user right to standard users. Restrict this right to trusted administrators. You can use the fsutil command to establish a symbolic link file system setting that controls the kind of symbolic links that can be created on a computer.

Potential impact

None. Not defined is the default configuration.

Related topics

• User Rights Assignment

Submit and view feedback for

Additional resources

Enabling Symlinks on Windows

Enabling symlinks on windows when using helix core clients apr 10, 2022 • knowledge, information, article body.

Perforce client programs on certain Windows versions can create symbolic links.   Earlier Perforce clients will create a text file showing the link information.

Symbolic links are available in the NTFS file system starting with Windows  Vista.

The privilege "Create Symbolic Links" and your User Account Control settings affect the ability to create symlinks.

You can check your ability to create symlinks, open a command window and cd to somewhere in your client directory tree.   You should do this without involving any Perforce client.   Pick an existing file and run:

Sample success:

Sample fail:

How To Enable using Symbolic Links

Create symbolic links privilege.

User Account Control Setting

NTFS Filesystem

Related Articles

• Number of Views 535
• Number of Views 11
• Number of Views 2.34K
• Number of Views 209
• Number of Views 1.03K

Was this article helpful?

• NIST 800-53
• Common Controls Hub

The Create symbolic links user right must only be assigned to the Administrators group.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Super User is a question and answer site for computer enthusiasts and power users. It only takes a minute to sign up.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Permission to make symbolic links in Windows 7?

How can I grant a particular user the permission to create symlinks in Windows 7?

I've searched through "Group Policy" and Google, but haven't found anything.

On a side note, is there a way to search through everything in Group Policy Editor? The filters only seem to work on particular subtrees. I never actually found anything using the filters.

• permissions
• filesystems
• symbolic-link

• 2 BTW Does anybody know why creating symlinks requires admin permissions? What is so dangerous in them? –  Monsignor Jul 13, 2017 at 18:58
• 2 @Monsignor: I saw a long time ago that Microsoft claimed too many programs couldn't handle them safely. Anyway I'm rather annoyed that they require elevation to use. –  Joshua Aug 24, 2017 at 16:25

2 Answers 2

Open the Local Group Policy Editor : Run > gpedit.msc . If that doesn't work try secpol.msc (Note, Windows Home users might need to enable group-policy-editor first).

Go to (Windows Pro users might don't see the first two items ) :

Computer configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment and edit the Create symbolic links .

Add the user or group that you want to allow to create symbolic links.

If you've added your own user account, you need to log out and log in back in for the change to have an effect.

Note : This setting has no effect on user accounts that belong to the Administrators group. Those users will always have to run mklink in an elevated environment (as Administrator) because of the way UAC removes privileges when creating an non-elevated access token . There is a handy Excel reference sheet for finding group policy settings: Group Policy Settings Reference for Windows and Windows Server

• 14 Here it looked more like the following, just for reference if someone gets confused: Control Panel > Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment > Create symbolic links And by the way you need to logout and login again for the settings to apply. –  Seldaek May 17, 2010 at 19:23
• 5 And you can run secpol.msc to skip the first part, then all you got left is : Local Policies > User Rights Assignment > Create symbolic links –  Seldaek May 17, 2010 at 20:11
• 5 Also: Running "gpupdate /force" from either CMD or just the Run dialog should apply the setting as well. –  Tobias Plutat Jan 21, 2011 at 8:21
• 2 Any way to do the same via registry for Microsoft-hated-non-Windows-8-Pro users? gpedit.msc is not available to them –  szx Jun 5, 2015 at 18:39
• 6 re - "Those users will always have to run mklink in an elevated environment (as Administrator)"... so administrators are always having to run with elevated... arg. –  Trevor Boyd Smith Feb 14, 2016 at 15:06

Some windows configurations miss gpedit.msc . In this case You can try as an alternative:

• running this PowerShell script from here :
• download polsedit which looks like freeware alternative to gpedit.msc

Then run gpupdate /force to apply changes immediately

• 3 Besides giving the source. please add the script in case the source is no longer present. –  miroxlav Feb 9, 2017 at 15:50
• 1 Windows Starter Edition, Home and Home Premium do not include gpedit.msc. Instructions to install it are in my question & answer Windows Starter Edition, Home and Home Premium do not include gpedit, how do I install it? –  DavidPostill ♦ Feb 10, 2017 at 15:46
• 1 this is why I prefer unix –  CervEd Apr 8, 2022 at 8:30
• @CervEd: This is probably off-topic, but even if I like *nix systems too, I have seen commercial Unix tools that were also artificially restricted (accordingly to the license price the paid for the particular installation). So I prefer to say: "This is why I love F/LOSS *nix software" :) –  saulius2 Sep 16 at 22:03

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows-7 security permissions filesystems symbolic-link ..

• The Overflow Blog
• How to scale a business-ready AI platform with watsonx: Q&A with IBM sponsored post
• Will developers return to hostile offices?
• Featured on Meta
• We're rolling back the changes to the Acceptable Use Policy (AUP)
• Seeking feedback on tags update

Hot Network Questions

• Are stable isotopes ever used in pharmaceuticals?
• Assuming other variables are good, could earth plants survive the light intensity on the surface of Mercury?
• Should a full stop punctuation be used in Abbreviations?
• At Dublin airport, is preclearance available for Canadian flights, or just for USA?
• Choosing a chainring for eewings crank
• Problem in merging images
• Who is the small green caterpillar on my head?
• Applying the Central Limit Theorem to a Piecewise PDF
• Which parent should you start playing against?
• Is it normal for a junior programmer to be alone in a project?
• External Tenure Evaluation During a sabbatical
• Indent Guideline in Text Editor
• One of PCs backstabbed a powerful ally. How do I punish them without seeming like singling them out?
• Guitar Cabinet volume low
• How can we plot Man Ray's "Shakespearean Equation" w == e^(1/z)?
• Supervisor refuses to be included as a co-author in PhD student papers?
• Are there multiple types of UTC time?
• Why does Mathematica not recognize a convergent series?
• How can prevent the source voltage from dropping when using a 555 timer
• What does the Earth look like when viewed from Saturn?
• Being sent away from an airfield - could I have asked more questions?
• GeoPandas to pull attributes from polygons based on point coordinates
• What is laboratory air?
• "You Search the Scriptures" - How has the democratization of access to the scriptures affected biblical hermeneutics? (John 5:33, 39)

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .

  Windows OS Hub / Windows 10 / Creating Symbolic Links (Symlinks) in Windows

Creating Symbolic Links (Symlinks) in Windows

Symbolic links are quite often used in Windows for system files and directories. You may use them when you need to move large files to another disk and Windows must consider that they are still located in the original directory (for example, when you want to save space on an SSD by moving some directories to a slower and larger HDD without disrupting programs). You can use symlinks on your SMB file server when directories located in different LUNs must be available in a single entry point.

The three types of file links available in Windows for NTFS volumes: hard links, soft links (symlinks), and Junction Points.

• Hard Links can only point to a local file, but not to a folder. A hard link is a file link to another file on the same volume without duplicating the file. It has the same size and properties as the source file (but it does not take up real space on the drive);
• Junction Points (Directory Hard Link) can only point to a directory (on the same or another volume);
• Symbolic Links (soft link, symlink) can point to a local file, folder, or network share on a remote computer (by the UNC path). Relative paths are supported.

In most cases, you can use a symlink for most tasks when you need to create a reference to an object.

How to Create a Symbolic Link in Windows?

To create symbolic or hard links in Windows, you can use the built-in mklink tool or PowerShell.

mklink has a simple syntax. To create a symbolic link to a file, specify the link name and the target object you want it to point to. You can set the link type: /D — a symbolic (soft) link to a directory, /H — a hard link, /J – a Junction point.

If you want to allow non-admin users to create symbolic links, add the user group to Create Symbolic Links GPO option (Computer Configuration -> Window Settings -> Security Settings -> User Rights Assignment in the GPO editor). By default, only the local Administrators group is added to the policy. Update local Group Policy after changing the setting: gpupdate /force

Create a symbolic link to the notepad.exe file in C:\PS:

mklink C:\PS\note.exe c:\Windows\System32\notepad.exe

Now you can use the note.exe symlink to run notepad.exe.

Create a symlink to another folder on the same drive:

mklink /D "C:\PS\Downloads" "C:\Users\user\Downloads"

Now, when you open the C:\PS\Downloads folder you will see the contents of the directory it refers to.

You can also create a symbolic link in Windows using PowerShell (in this example I use relative paths to create symlink):

New-Item -ItemType SymbolicLink -Path ".\test\tmpfiles" -Target "..\tmp\files"

You can create a symbolic link to a shared network folder on a remote computer or server. Specify the network share address in the UNC format.

For example, let’s connect the administrative share C$ on a remote computer using its IP address:

mklink /D c:\remotePC\server1 \\192.168.13.10\C$

If you see the following error when accessing a share using a symlink:

Check the allowed ways of using symbolic links on your computer:

fsutil behavior query SymlinkEvaluation

To enable symbolic links to remote resources, run the following commands:

fsutil behavior set SymlinkEvaluation R2R:1 fsutil behavior set SymlinkEvaluation R2L:1

You can work with symbolic links in the same way as with ordinary file system objects: move, rename, or delete them.  Windows will automatically change the settings of the symlinks so that they point to the correct targets.

To remove symlinks, the usual commands are used (like you do for files):

Del c:\ps\note.exe RD c:\ps\downloads

How to Find All Symbolic Links on a Windows Drive?

There are no built-in tools in Windows to view and manage all symlinks on a disk.

You can list all symbolic links on a disk using this command:

dir /AL /S C:\ | find "SYMLINK"

• /A – to display files with L attribute (symlinks)
• /S –run the command recursively for all subfolders
• C:\ — specify a drive name or path to a folder to search for symlinks

You can also get a list of all symbolic links on a disk using PowerShell. Just scan all folders and find NTFS objects with the ReparsePoint attribute:

Get-ChildItem -Path C:\ -Force -Recurse -ErrorAction 'silentlycontinue' | Where { $_.Attributes -match "ReparsePoint"}

Configuring Windows Firewall Rules Using Group Policy

Install and configure postgresql on windows, related reading, install windows terminal without the microsoft store, how to connect vpn before windows logon, using wpad (web proxy auto-discovery protocol) on windows, zabbix: how to get data from powershell scripts, tracking printer usage with windows event viewer logs.

why is this formatted so strange. hard to read.

Leave a Comment Cancel Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Current ye@r *

Leave this field empty