Cannot create symbolic link even as a member of Administrators

Discussion in 'Windows 8 Help and Support' started by eldiener, Aug 8, 2014.

  1. eldiener

    eldiener Senior Member

    Joined:
    Nov 17, 2012
    Messages:
    28
    Likes Received:
    0
    Even though I am a member of the Administrators group, when I try to create a symbolic link I get the message:

    "You do not have sufficient privilege to perform this operation."

    In Windows7 I am also a member of Administrators and have no problem creating symbolic links.

    Does anybody have any idea why this is not working in Windows8 ?
     
  2. Josephur

    Josephur Windows Forum Admin
    Staff Member Premium Supporter

    Joined:
    Aug 3, 2010
    Messages:
    1,018
    Likes Received:
    125
    Are you running the command prompt as administrator and using the mklink command? If so post your syntax of the command.
     
  3. eldiener

    eldiener Senior Member

    Joined:
    Nov 17, 2012
    Messages:
    28
    Likes Received:
    0
    I am not running the command prompt as administrator but I am a member of the Administrator group running a normal command prompt. My syntax is:

    mklink /d c:\MyLink c:\utilities\myDir

    I need c:\MyLink to be a symbolic directory link to my directory c:\utilities\myDir.

    Do I really need to be opening a command prompt as Administrator in order to make a symbolic link ? That is not the case for Windows7, where I can open a normal command prompt and make a symbolic link since I am a member of the Administrator group on Windows7 also.
     
  4. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,530
    Likes Received:
    314
    Yes you really do however you can also set admin as the default cmd and assume that only you will use it...
     
  5. eldiener

    eldiener Senior Member

    Joined:
    Nov 17, 2012
    Messages:
    28
    Likes Received:
    0
    That is not good. There should be no reason why a member of the Administrator group cannot successfully issue a 'mklink' command. I run programs and scripts which assume that a symbolic link can be made and if Windows8 fails to do I cannot use it and must stay with Windows7.

    There had been a great deal of discussion why making symbolic links even needed Administrator priveleges in Windows7 ( and below ). On Linux anyone can make a symbolic link. And now on Windows8 instead of making things easier as far as symbolic links are concerned Microsoft makes things even more ridiculous. There is something wrong here and clearly Windows8 is not usable if a member of the Administrators group cannot even create a symbolic link without running as the Administrator himself.
     
  6. eldiener

    eldiener Senior Member

    Joined:
    Nov 17, 2012
    Messages:
    28
    Likes Received:
    0
    I see where in Windows7 I have set my command prompt to "Run As Administrator". I forgot I had to do this in order to create a symbolic link from the command prompt.

    It still seem illogical that if I am a member of a group ( Administrators ) by which I have the local security right to create a symbolic link, I should not be able to do this when running as myself. Maybe someone knows of Microsoft's thinking behind this.
     
  7. Josephur

    Josephur Windows Forum Admin
    Staff Member Premium Supporter

    Joined:
    Aug 3, 2010
    Messages:
    1,018
    Likes Received:
    125
    I believe this is a security policy that you need to modify, makes sense that they disallowed them as most people never use symbolic links on NTFS.

    Fire up Group Policy editor (gpedit.msc) and browse to the following location:
    Computer Configuration -> Security Settings -> Local Policies -> User Rights Assignment -> Create symbolic links

    Also see the fsutil command:
    fsutil behavior query symlinkevaluation
    fsutil behaviour set symlinkevaluation

    If all else fails maybe toggling UAC off would allow creation?
     
  8. eldiener

    eldiener Senior Member

    Joined:
    Nov 17, 2012
    Messages:
    28
    Likes Received:
    0
    I looked at the security policy you mention and the group 'Administrators' is already added for 'Create symbolic links'.. I am a member of the group 'Administrators'. I also have UAC off.

    You would think that the 'mklink' command would look to see if the user has the right to create symbolic links based on the security policy you mention above. But evidently it does not do that for whatever strange reason Microsoft has deemed. Instead it evidently decides that only the Administrator can create a symbolic link. So Microsoft creates a specific security policy for creating symbolic links and then completely ignores it in its own command to do so. Go figure !
     
  9. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,530
    Likes Received:
    314
    Because the 'mklink' command would then need to be MUCH larger and have a way to go searching for this extra data… perhaps over the network in the case of a domain, it would also need permission to enter a user's profile and look at their settings.

    A human operator can simply say "run as admin" to make the extra code redundant & that seems to work well enough to keep most people happy.

    Yes, A skilled coder could make it browse our emails, do your internet banking & in the near future perhaps even have sex with your wife… what investors and consumers will think of this new Windows feature is debatable. :rolleyes:
     
  10. eldiener

    eldiener Senior Member

    Joined:
    Nov 17, 2012
    Messages:
    28
    Likes Received:
    0
    If it is really so hard and would make a program "MUCH larger" to actually check the security tokens of an end-user to see if they can use some Windows functionality that is protected by Windows security, then Microsoft would have thrown the entire security system away. But of course this is all untrue as I, a programmer, know well and your answer is absurd and makes you look ridiculous in the eyes of anyone who knows and does Windows programming.
     
  11. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,530
    Likes Received:
    314
    For what its worth I am c+ and v-basic certified but "run as admin" has been around a long time so as a requirement is nothing new… i.e. something all windows programmers need to know.

    The problem with just throwing away old security protocols and functionality is that Windows needs to remain backwards compatible… as any software developer knows, making something that only works on one version of Windows with one set of hardware is simple, cheap and only needs a light footprint… that’s why Microsoft is so strongly behind the development of apps as the future for student programmers.

    p.s. I admit my Powershell scripting needs a refresher but each too their own and I hope you have a good day.
     
  12. eldiener

    eldiener Senior Member

    Joined:
    Nov 17, 2012
    Messages:
    28
    Likes Received:
    0
    My point is that Microsoft designed a security system to give different users different rights to do things in Windows. It does not matter if it is Vista or 7 or 8, or even XP, this system has been in place for a long time. Then they create a program, "mklink", which pays no attention to the security system which they themselves designed. Does this make sense to you ? It does not make sense to me.

    I realize that you are not a Microsoft employee and my comments about the way "mklink" works is not going to change Microsoft in any way. The best thing for me to do is simply file a "suggestion" on their bug reporting page. Whether they eventually do anything about it is up to them. It is just a bother that I must run a command shell as an Administrator in order to use "mklink" when I already have the security rights as a member of the Administrators group to create a symbolic link.

    Anyway I have adjusted to this silliness on my own system, but it should never have been necessary.
     

Share This Page

Loading...