On 5/30/2013 5:03 AM, Corinna Vinschen wrote: > On the other hand, in the same situation the UAC-crippled admins's token > does not contain the "Create symbolic links" right: > > $ /cygdrive/c/Windows/System32/whoami /priv > > PRIVILEGES INFORMATION > ---------------------- > > Privilege Name Description State > ============================= ==================================== ======== > SeShutdownPrivilege Shut down the system Disabled > SeChangeNotifyPrivilege Bypass traverse checking Enabled > SeUndockPrivilege Remove computer from docking station Disabled > SeIncreaseWorkingSetPrivilege Increase a process working set Disabled > SeTimeZonePrivilege Change the time zone Disabled > > I also changed the "Create symbolic links" policy so that the "Users" > group is the only group getting this right. In other words, I removed > the "Administrators" group entirely, logged off, logged on, and the > result was the same as above. > > This is a bug in UAC if you ask me. It seems to remove privileges from > the UAC-crippled admin's token based on a fixed internal list, totally > ignorant of changes in the security policy.
This is a design flaw but it is working as documented. Administrators have SeCreateSymbolicLinkPrivilege by default so UAC removes it. What UAC should do in my opinion is not remove a static list of permissions but only remove those permissions that are not granted to standard users. If your organization is a user of native symlinks and you have a support agreement with Microsoft, I recommend filing a support request to have this behavior changed. Jeffrey Altman -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
