I would like to setup select users on our domain to have the ability to create symbolic links on local NTFS drives and network shares without needing to run as Administrator, as part of an application with will call the CreateSymbolicLink() API directly. The default configuration for our users is to be Administrator of their computer and I think I am fighting UAC to make the privileges work the way that I want because of that. I found this link on MSDN: http://social.msdn.microsoft.com/Forums/en-SG/windowssdk/thread/fa504848-a5ea-4e84-99b7-0eb4e469cbef which describes the interaction between the SeCreateSymbolicLinkPrivilege, UAC and a domain but really does not have a solution. Here's the three options I've come up with:

1) Create a new group, give the SeCreateSymbolicLinkPrivilege to the group and assign users to the group
2) Give each individual user (2 now, more later) the privilege
3) Give the privilege to the default User group which opens it up to all Users
4) Change config so Users are not Admins by default (probably would work but not likely)

Based on my testing, only 3 works for me and that is the least desirable but I've only got a local server to test with, not a domain. I need to recommend to the admin how to set this up and also have something that we can easily explain to other users of our application that are on their own domain or not on a domain. The other option seems to be to create a Service that runs with a SYSTEM account that creates the links for the application but I'd rather not go that route. Thanks.