pátek 18. ledna 2013

... a way out of Windows symlink permission hell

For some reasons we needed to create symlinks on a Windows fileshare. Our environment was symlink ready (Win7 & WinServer 2008R2 & SMB2 everywhere). We started to try ... it sometimes worked sometimes not. Sometimes we received "You do not have sufficient privilege to perform this operation". Frustrating.
Finally we managed to make it working. We can now create symlinks from our server app directly in a shared folder.

Prerequisites
  • Windows 7+ and Windows Server 2008 R2 + and SMB2 enabled

Fileserver setup
  • the user willing to create symlinks must be 
    • granted "Create symbolic link" privilege (use Local Security Policy tool on the server)
    • granted modify right for the folder containing the symlink
Client setup
  • the user willing to create symlinks must be granted "Create symbolic link" privilege (use Local Security Policy tool on the client)
  • the right to  create symlinks must not originate from Administrators group -> the right must be granted directly to the user or indirectly via a security group
  • the user should not be a member of the Administrators group or the Administrators group should not bring the Create symlink permission (UAC disables the permission when it comes from the Administrators group --- UAC is EVIL)
  • depending on the link type used, the client computer must be able to resolve symlinks of certain type
    • turn symlink evaluation on using command (enables all kind of symlinks)
      • fsutil behavior set symlinkevaluation L2L:1 L2R:1 R2L:1 R2R:1 
If everything goes well you should be able to invoke following command to create directory symlink:

mklink /d \\server1\links-are-here\this-is-a-link \\server2\data-are-here\this-is-a-link-target