Read-only NTFS junction point or symlink

Posted on


On our file server, we have a directory, let’s say S:, that is shared out as \servershare. This share is mounted (mapped) by our application server, as, say, M: = \servershare.

We use a particular Windows user, batchUser, to run batch processes on as application server. These processes createmodifyetc. files in this directory (or its subdirectories), and so this user ID has the appropriate write permissions.

On the server is a directory tree containing, among other thing, the directories S:rootDir1subDir and S:rootDir2. Some of our processes write to this directory. A couple of our processes need to read from this directory, but they must be prevented at all costs from writing to this directory. Furthermore, these read-only processes must also run as the same user ID.

For various other reasons, the read-only processes access this subDir via a junction that is set up on the file server. That is, on the file server, there is a junction S:rootDir2subDir => S:rootDir1subDir. Thus, on our application server, the applications see two directories, M:rootDir1subDir and M:rootDir2subDir.

We need to ensure that the read-only processes do not modify or write to the M:rootDir2subdir directory in any manner. Is there any way to make the junction on the file server a “read-only” junction?

One issue with this is that we need to preserve the directory tree structure for the read-only processes. That is, the read-only processes must see the directory tree M:rootDir2 as we have it and be able to write to all other directories within this tree except for the M:rootDir2subdir junction.

Lastly, this must be done with junctions (that are processed on the file server side) and not symlinks that are processed on the app server side. (This is a requirement because of other issues, such as accessing the the directories via different interface cards, i.e. different networks.)


Dokan has an example application called “mirror” which you could possibly use.

It has a flag, “/w”, which allows to mount a directory as read-only.

Leave a Reply

Your email address will not be published. Required fields are marked *