3

I am trying to figure out how to grant myself permission to make symbolic links as a non-administrator on Windows 8.1 (NOT Windows 8.1 Pro) which lacks gpedit.msc. How do I do this?

Demi
  • 848
  • 2
  • 12
  • 22

3 Answers3

2

If you are not joined to a domain, you can use secpol.msc.

  1. Press Start
  2. type secpol.msc
  3. Press Enter
  4. Computer configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → Create symbolic links
surfasb
  • 22,896
1

Based on Dmytro Bondarchuk's suggestion (indicated by Nikita Malyavin in this superuser answer), it appears we can use secedit with PowerShell native commands to add the symbolic links permissions to the user.

function Add-SymLinkPermissions {
    [CmdletBinding()]
    param (
        [Parameter(ValueFromPipeline, ValueFromPipelineByPropertyName)]
        [string]
        $UserAccount = $env:USERNAME
    )
    Write-Host 'Checking SymLink permissions...'
    $sidstr = $null
    if ( "$accountToAdd" -eq 'Everyone' ) {
        $sidstr = 'S-1-1-0'
    }
    else {
        try {
            $NtPrincipal = New-Object System.Security.Principal.NTAccount "$UserAccount"
            $sid = $NtPrincipal.Translate([System.Security.Principal.SecurityIdentifier])
            $sidstr = $sid.Value.ToString()
        }
        catch {
            $sidstr = $null
        }
    }
    Write-Host "Account: $($UserAccount)" -ForegroundColor DarkCyan
    if ( [string]::IsNullOrEmpty($sidstr) ) {
        throw [System.ArgumentException]::new('UserAccount', 'UserAccount is not valid')
    }
    Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan
    $tmp = [System.IO.Path]::GetTempFileName()
    Write-Host 'Export current Local Security Policy' -ForegroundColor DarkCyan
    secedit.exe /export /cfg "$($tmp)" 
    $c = Get-Content -Path $tmp 
    $currentSetting = ''
    foreach ($s in $c) {
        if ( $s -like 'SECreateSymbolicLinkPrivilege*') {
            $x = $s.split('=', [System.StringSplitOptions]::RemoveEmptyEntries)
            $currentSetting = $x[1].Trim()
        }
    }
    if ( $currentSetting -notlike "*$($sidstr)*" ) {
        Write-Host 'Need to add permissions to SymLink' -ForegroundColor Yellow

    Write-Host 'Modify Setting "Create SymLink"' -ForegroundColor DarkCyan

    if ( [string]::IsNullOrEmpty($currentSetting) ) {
        $currentSetting = "*$($sidstr)"
    }
    else {
        $currentSetting = "*$($sidstr),$($currentSetting)"
    }
    Write-Host "$currentSetting"
    $outfile = @"



[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
SECreateSymbolicLinkPrivilege = $currentSetting
"@
        $tmp2 = [System.IO.Path]::GetTempFileName()
        Write-Host 'Import new settings to Local Security Policy' -ForegroundColor DarkCyan
        $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
        Push-Location (Split-Path $tmp2)
        try {
            secedit.exe /configure /db 'secedit.sdb' /cfg "$($tmp2)" /areas USER_RIGHTS 
        }
        finally { 
            Pop-Location
        }
    }
    else {
        Write-Host 'NO ACTIONS REQUIRED! Account already in "Create SymLink"' -ForegroundColor DarkCyan
        Write-Host "Account $UserAccount already has permissions to SymLink" -ForegroundColor Green
        return $true
    }
}

I have gathered the relevant parts into this GitHub Logo Gist.

<# Grant SymLink rights PowerShell function from Gist #> 
iex (New-Object -TypeName System.Net.WebClient).DownloadString('https://gist.githubusercontent.com/mavaddat/68c1084c5ae12f2288442e9286d51802/raw/65374381b3dbbfadaea3b358a642a262c773eb59/grantSymLinkRights.ps1')  
<# Add symlink Rights (requires admin UAC) #> 
Add-SymLinkPermissions -UserAccount $env:USERNAME

Result:

Checking SymLink permissions...
Account:    ██████████
Account SID: S-█-█-██-██████████-██████████-█████████-██████
Export current Local Security Policy

The task has completed successfully.
See log %windir%\security\logs\scesrv.log for detail info.
Need to add permissions to SymLink
Modify Setting "Create SymLink"
S-█-█-██-██████████-██████████-█████████-██████,S-█-█-██-███
Import new settings to Local Security Policy


The task has completed successfully.
See log %windir%\security\logs\scesrv.log for detail info.
Mavaddat Javid
  • 217
-1

Solution

Polsedit is a utility to modify user policies such as user account rights and user privileges on a local or remote system. This can be useful when for some reason you are unable ro [sic] run secpol.msc snap-in, for example, XP Home and Vista Home do not have secpol.msc at all.

Source: Southsoftware Products

  1. Download Polsedit, and extract its archive somewhere.

  2. Launch the 32-bit or 64-bit version, depending on your operating system bitness. The program requires administrator rights.

  3. Right-click the Create symbolic links policy (the list is sorted alphabetically), and choose Properties from the context menu.

  4. Click the Add User or Group button, select the target account, and click OK.

  5. Repeat step 4 for any other required user or group. Click the Close button, and exit the program. The changes become effective next time the selected account(s) log on.

Further reading

and31415
  • 14,901