os.symlink calls CreateSymbolicLink, which creates the reparse data buffer with the print name stored first, so the offset is always 0. Otherwise we would have noticed this problem already. For example:
>>> os.symlink('C:\\', 'link', True)
>>> os.system('fsutil reparsepoint query link')
Reparse Tag Value : 0xa000000c
Tag value: Microsoft
Tag value: Name Surrogate
Tag value: Symbolic Link
Reparse Data Length: 0x00000020
Reparse Data:
0000: 06 00 0e 00 00 00 06 00 00 00 00 00 43 00 3a 00 ............C.:.
0010: 5c 00 5c 00 3f 00 3f 00 5c 00 43 00 3a 00 5c 00 \.\.?.?.\.C.:.\.
As you can see above, CreateSymbolicLink stores the "PrintName" DOS path (e.g. "C:\") first, with an offset of 0, followed by the "SubstituteName" NT path (e.g. "\??\C:\").
The "All Users" link, on the other hand, seems to have been created manually with an inverted order. I have ctypes code to manually create a similar link (calling OpenProcessToken/AdjustTokenPrivileges to enable the required privilege and CreateFile/DeviceIoControl to set the reparse point), but I doubt it's worth adding it just to test this bug.