Create a policy to apply the startup script (policy on a computer). Script code:
mklink c: \ log \ cmd.link.exe C: \ Windows \ System32 \ cmd.exe & gt; & gt; C: \ log \ symlink.log 2 & gt; & amp; 1
Drawing into machines with Win7 32/64 bits, the UAC is disabled everywhere. In the Log
C: \ log \ symlink.log I invariably see the error “not enough privileges to perform this operation.”
What could be the problem? Google suggests only the “run CMD from the administrator”, or register privileges for everyone to create links, but when you start the script with your hands from the administrator, or from the system (via
PSEXEC -S -E ) everything works. The problem is only when used with politics.
tried even through PowerShell to wrap (just in case):
start-process -filepath "$ env: windir \ system32 \ cmd.exe" -argumentlist "/ c mklink c: \ log \ cmd.link.exe C: \ Windows \ System32 \ cmd.exe & gt; & gt; c: \ log \ symlink.txt 2 & gt; & amp; 1 "-verb runas
also does not help – the error is the same …
Maybe there is some kind of analog
Mklink for PowerShell? I could not find anything.
Added to the Script Location
Whoami / All & GT; C: \ log \ symlink.log 2 & gt; & amp; 1 at the request of TOV. Petseral . Team output:
user information ---------------- User sid. ==================== ======== NT Authority \ S-1-5-18 system Group information ----------------- Group SID Type Attributes =============================================== === ==================== ============ ================== =========================================== Builtin \ Administrators of the alias S-1-5-32-544 are included by default, the included group, the owner of the group All well-known group S-1-1-0 mandatory group included by default, group included NT Authority \ Checking The well-known group S-1-5-11 Mandatory group included by default, group included Mandatory label \ Mandatory system level S-1-16-16384 Information about privileges ---------------------- Privilege name Description area, edge ================================================== ====================== ============= SeassignPrimaryTokenPrivilege Replacing the process marker is disabled SeincReaseQuotaprivilege Setting the memory quotas for the process is disabled Setcbprivilege operation in operating system mode is enabled SesecurityPrivilege audit control and security log disabled SetAkeowNershipPrivilege Changing file owners and other objects is disabled SELOADDRIVERPRIVILEGE Loading and Unloading Device Drivers Disabled SecreatePermaNENTPrivilege Creating permanent general objects included Sebackupprivilege Archiving Files and Directory Disabled SerestorePrivilege Restore Files and Directory Disabled SeshutdownPrivilege Completion of the system is disabled Secangenotifyprivilege cross-checking included SeimpersonatePrivilege Client Imitation After authentication is enabled
Answer 1, Authority 100%
Boot scripts are executed by the Group Policy Client (gpsvc ) service and have the same set of privileges as the service itself. By default, the service runs as the system account, but the service sets the list of required privileges, and the
SeCreateSymbolicLinkPrivilege privilege is not included in this list.
When a service process starts, privileges not specified in the list required for the service (for services running in
WIN32_SHARE_PROCESS mode, a combined list of all services that can run in this process is used) are excluded from the process token.
Thus, the gpsvc service does not receive the
SeCreateSymbolicLinkPrivilege privilege because it does not request it. The Group Policy scripts that this service runs do not get this privilege either, so trying to create a symbolic link fails.
To fix the error, add the
SeCreateSymbolicLinkPrivilege privilege to the list of gpsvc required for the service. This can be done using the
sc console command of the
C: \ & gt; sc privs DESCRIPTION. Change the required privileges setting for a service. Privilege settings take effect when the service process starts when the first service of the process starts. At this point, the control manager services (SCM) defines a set of all the privileges required by all services participating in this process, and then creates a process with such privileges. If this parameter is absent, it is assumed that the service requires all the privileges allowed by the security engine for a process that runs on behalf of the account configured for this service. USAGE: sc & lt; server & gt; privs [service name] [privileges] OPTIONS: privileges = & lt; Privileges (separated by forward slashes (/)) & gt; [For example, SeBackupPrivilege / SeRestorePrivilege]