Thursday, August 18, 2011

Navigating Remote Symlinks on a Windows Server from a Windows Client (or, Poor Man’s DFS Links Without DFS Installed)

I set up a bunch of symlinks in a share on a Windows Server 2008 R2 install, pointing to a range of different UNC paths. My testing on the server showed that the symlink traversal was working fine, but on a Windows 7 install I was getting the following error:

“The symbolic link cannot be followed because its type is disabled.”

Odd error. After much mucking about I found that the fsutil command is used to control this behaviour. The following command was used to display the current symlink evaluation methods:

fsutil behavior query SymlinkEvaluation

which resulted in the following:

Local to local symbolic links are enabled.
Local to remote symbolic links are enabled.
Remote to local symbolic links are disabled.
Remote to remote symbolic links are disabled.

Bingo. The Remote to Local evaluation mode is disabled, which is causing the error. Local to Remote evaluation mode is enabled, which is why the symlink traversal was working on the server. I verified that the problem was resolved by issuing the following command on the Windows 7 install:

fsutil behavior set SymlinkEvaluation L2L:1 L2R:1 R2R:1 R2L:1

Excellent, the symlinks are now followed without error. Finally I rolled out the above change via Group Policy. The four modes can be controlled by using Group Policy Editor and navigating to Computer Configuration > Administrative Templates > System > Filesystem and configuring "Selectively allow the evaluation of a symbolic link".

6 comments:

Unknown said...

I have enabled all of the links by using this code :
fsutil behavior set SymlinkEvaluation L2L:1 R2R:1 L2R:1 R2L:1

I am still getting the error. Any ideas?

Unknown said...

Hello there,

I have enabled all of the link by using this code:
fsutil behavior set SymlinkEvaluation L2L:1 R2R:1 L2R:1 R2L:1

I am still getting the error.
Any ideas?

stryqx said...

@Jeff when you run "fsutil behavior query SymlinkEvaluation", it comes back and tells you that all four modes are enabled?

Anonymous said...

yes, all enabled, still getting same error.

stryqx said...

Hmm. Might be worth checking the local Group Policy settings and the associated registry settings. It's also possible that your anti-malware package is getting in the wat

Anonymous said...

We had the same issue, all show as enabled with fsutil but it still complained with an error 1463 "The symbolic link cannot be followed because its type is disabled." anyway. Finally found the solution in another regkey: HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\SymlinkRemoteToRemoteEvaluation should ALSO be set to 1 (at least this solved the error in our case).

Source, marked as answer in this thread : https://social.technet.microsoft.com/Forums/ie/en-US/73daeab5-332e-4bfd-91e5-b41f38974cce/windows-7-symbolic-link-behavior-incorrect?forum=w7itprogeneral