Home windows Creating a Symbolic Link (Symbolic Link) through group policies (GPO)

Creating a Symbolic Link (Symbolic Link) through group policies (GPO)




Create a policy to apply the startup script (policy on a computer). Script code:

mklink c: \ log \ cmd.link.exe C: \ Windows \ System32 \ cmd.exe & gt; & gt; C: \ log \ symlink.log 2 & gt; & amp; 1

Drawing into machines with Win7 32/64 bits, the UAC is disabled everywhere. In the Log C: \ log \ symlink.log I invariably see the error “not enough privileges to perform this operation.”

What could be the problem? Google suggests only the “run CMD from the administrator”, or register privileges for everyone to create links, but when you start the script with your hands from the administrator, or from the system (via PSEXEC -S -E ) everything works. The problem is only when used with politics.

tried even through PowerShell to wrap (just in case):

start-process -filepath "$ env: windir \ system32 \ cmd.exe" -argumentlist "/ c mklink c: \ log \ cmd.link.exe C: \ Windows \ System32 \ cmd.exe & gt; & gt; c: \ log \ symlink.txt 2 & gt; & amp; 1 "-verb runas

also does not help – the error is the same …

Maybe there is some kind of analog Mklink for PowerShell? I could not find anything.

Added to the Script Location Whoami / All & GT; C: \ log \ symlink.log 2 & gt; & amp; 1 at the request of TOV. Petseral . Team output:

user information
User sid.
==================== ========
NT Authority \ S-1-5-18 system
Group information
Group SID Type Attributes
=============================================== === ==================== ============ ================== ===========================================
Builtin \ Administrators of the alias S-1-5-32-544 are included by default, the included group, the owner of the group
All well-known group S-1-1-0 mandatory group included by default, group included
NT Authority \ Checking The well-known group S-1-5-11 Mandatory group included by default, group included
Mandatory label \ Mandatory system level S-1-16-16384
Information about privileges
Privilege name Description area, edge
================================================== ====================== =============
SeassignPrimaryTokenPrivilege Replacing the process marker is disabled
SeincReaseQuotaprivilege Setting the memory quotas for the process is disabled
Setcbprivilege operation in operating system mode is enabled
SesecurityPrivilege audit control and security log disabled
SetAkeowNershipPrivilege Changing file owners and other objects is disabled
SELOADDRIVERPRIVILEGE Loading and Unloading Device Drivers Disabled
SecreatePermaNENTPrivilege Creating permanent general objects included
Sebackupprivilege Archiving Files and Directory Disabled
SerestorePrivilege Restore Files and Directory Disabled
SeshutdownPrivilege Completion of the system is disabled
Secangenotifyprivilege cross-checking included
SeimpersonatePrivilege Client Imitation After authentication is enabled

Answer 1, Authority 100%

Boot scripts are executed by the Group Policy Client (gpsvc ) service and have the same set of privileges as the service itself. By default, the service runs as the system account, but the service sets the list of required privileges, and the SeCreateSymbolicLinkPrivilege privilege is not included in this list.

When a service process starts, privileges not specified in the list required for the service (for services running in WIN32_SHARE_PROCESS mode, a combined list of all services that can run in this process is used) are excluded from the process token.

Thus, the gpsvc service does not receive the SeCreateSymbolicLinkPrivilege privilege because it does not request it. The Group Policy scripts that this service runs do not get this privilege either, so trying to create a symbolic link fails.

To fix the error, add the SeCreateSymbolicLinkPrivilege privilege to the list of gpsvc required for the service. This can be done using the sc console command of the privs subcommand:

C: \ & gt; sc privs
    Change the required privileges setting for a service.
    Privilege settings take effect when the service process starts
    when the first service of the process starts. At this point, the control manager
    services (SCM) defines a set of all the privileges required by all
    services participating in this process, and then creates a process with such
    privileges. If this parameter is absent, it is assumed that
    the service requires all the privileges allowed by the security engine
    for a process that runs on behalf of the account configured
    for this service.
    sc & lt; server & gt; privs [service name] [privileges]
    privileges = & lt; Privileges (separated by forward slashes (/)) & gt;
           [For example, SeBackupPrivilege / SeRestorePrivilege]

Programmers, Start Your Engines!

Why spend time searching for the correct question and then entering your answer when you can find it in a second? That's what CompuTicket is all about! Here you'll find thousands of questions and answers from hundreds of computer languages.

Recent questions