File servers have always been a curious paradox for the IT professional in charge of managing them. On one hand, you’re the person responsible for the file server, and so it’s your mission to make sure that it works. It’s your mission to make sure that the unnecessary stuff isn’t on there, perhaps clogging up things or taking up space that could be better used for corporate projects and actually useful things. On the other side are the users who see a vast openness of available space with which to store, in many cases, anything they want. Adding to this complexity is the fact that the users aren’t typically tasked with managing their own space. And so, your job is to manage the space, but you have no idea what the content is or whether it’s useful or not. They are not in charge of managing the space but they know what’s important to them and important to the company. It’s because of this paradox that solutions like FSRM exist. The File Services Resource Manager is a tool for solving this problem about what kinds of content should and should not be on a machine. What’s particularly great about FSRM is that it’s a really easy solution to use. And when you start to poke around into the things that you can do on a file by file basis, I think you’ll appreciate that just simply installing the FSRM role service, the very first task that we have to do here, is something you’ll probably going to want to do.
What this part cover
- Install the FSRM role
- Configure Quotas
- Configure file screens
- Access-Denied Assistance
Let’s get started.
Install the FSRM role
We can install it through Server Manager or with Powershell. Let’s install it through server manager first. Start the Server Manager and go to Manage, then Add Roles and Features.
Before you begin page will pop-up. Click through the Before you begin dialog, installation type and select destination server pages accepting the defaults.
When you get to the Select server roles screen, scroll down to the File And Storage Services area expand File and iSCSI services and check File Server Resource Manager. When you do this, you’ll be prompted to add additional features. Click Add Features and click Next to move on.
On the Select features screen, click next accepting the defaults. On the Confirmation installation selections screen, you can click Install. Now you can sit back and wait for FSRM to install.
Once done, click Close
Install FSRM with powershell. Open powershell as admin and type in
Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools
To access FSRM –> Open Server Manager -> Tools -> Select File Server Resource Manager
We can take a look at FSRM console and then the different things that it can accomplish.
Configure Quotas (Quota Management)
First in the list is Quota Management. Often, you end up in a situation where you’ve got users that they really just abuse the amount of storage space that you have. Well, in a world these days where a terabyte can be really drilled down into something you can hold in the palm of your hand, the whole idea of storage space is something that has evolved quite a bit over time. There are still certain circumstances where setting quotas on particular files and folders can become useful to prevent that file or folder from becoming too large. Now, in the real word, the location where quota management is used the most is typically with roaming profiles. And this has less to do with the idea that you’re consuming a bunch of space and space is expensive. It has more to do with the fact that roaming profiles require those profiles to be copied in their entirety every time the user logs in. Here, under quota management, we have two different items to look at
Quotas and Quota Templates
Let’s take a look at Quota Templates first and these are just a series of templates that define characteristics for what you want to control through the quotas that you later create.
Let’s open one. I will double-click on 100 MB Limit. That will open quota template properties.
To start with settings of an existing template, expand the list from the copy properties from quota template (Optional), select the template you would like to use and then click copy.
This 100 MB limit here defines the limit on a specific folder, that says when that folder hits a 100 MB, no matter what the content is, no matter how it got there, when that folder hits a 100 MB, well then set up these notifications. So as you approach it, send emails, write events into the event log etc.
Hard Quota -> Forbid users from adding additional content after that 100 MB quota is exceeded.
Now, it’s here we have to be kind of cautious about the setting of a hard quota versus a soft quota. If you end up in a situation where a hard quota actually prevents a person from adding files and folders, that could actually impact the use of roaming profiles. So here, you can choose whether or not you want to prevent users from exceeding the limit or if you want to allow them to exceed the limit but just notify you that indeed, they have exceeded that limit. In most real-world circumstances, it’s best to set a soft quota first, and then use that as your monitoring tool to perhaps proactively help users to get themselves underneath a certain limit. In the case of hard quotas, sometimes there could be fallout effects that end up causing users more pain than the amount of space that they’re consuming.
Let’s click on ADD under the notification thresholds and for each of these, we can set additional notification thresholds that we want here
Email Treshold – we can send a specific email message to that user who exceeded the threshold.
Event Log – We can configure an event log error, so a warning that gets popped up into the event log. One assumes that in setting these event log errors, that you would have some solution monitoring the event log for exactly the error message that you’re creating.
Command – You can also run a command, so if you’ve got a PowerShell command or a script or a VBScript or even a batch script, you can run that script here using one of the following command security contexts, so local service, network service, or local system.
Report – you can pop up a report any time this threshold gets exceeded, well, then, go ahead and generate a report and send that report to one of the following administrators, that they’re aware of the problem, and then have all the information, all the data they need in order to help that person then resolve the problem.
These are the default quota templates that, in the best practices approach, when you’re using these and applying these, Microsoft highly recommends that you use the templates as the mechanisms to define the quotas. So that’s why we’re starting here with the templates as opposed to the quotas themselves. If you would like to create your own templates you can do it by right-clicking on Quota templates and selecting Create Quota Template
Let’s see how we can create our own quota.
Right-Click on Quotas and select Create Quota
Create Quota Wizard will pop-up.
Quota Path – > Click on Browse and browse to the folder where you want to apply this quota.
Create Quota on path vs Auto apply template and create quota on existing and new subfolders -> Now, one of the big things about choosing to create a quota on the specific path is that it doesn’t do much if there are additional quotas that need to be configured sub to that location of the path. When you choose first option it will limit entire main folder or volume. The second option allows you to create what is called an auto-apply quota, where the auto-apply quota will automatically apply the template that you create or assign, and then create the quotas on any existing and new subfolders to the path that we’re identifying here, so the second option will limit the subfolders. It will not limit the main folder itself, but subfolders within that folder.
If you are using roaming profiles, typically those profiles are subfolders of some folder that exists on a file server somewhere. So if quota path were our company roaming profiles location, then the subfolders of which would usually correspond to the username of the person that’s associated with that roaming profile. It’s here where the auto-apply template can be used relatively easily for the creation of that quota every time, automatically, whenever a new user attempts to use and then create that roaming profile.
Here we can define where the properties are coming from, whether it be from one of the templates
Or we can click on Define custom properties and create our own template.
Once done, click on create. OBS!! I created my own template 10 MB Limit. Need to point this out, in case you are wondering why you don’t have it in the list.
Here it is.
Now if I try to copy/move some file into that folder larger then 10 MB I will run into this.
Configure file screens
Now, one of the biggest notions of file servers is that they provide a place for people to put their stuff onto. And without any kind of control of that, a lot of times, users will end up just storing whatever they want onto those file servers without really considering the types of reasons for why that file server exists.
File screening management here provides a way, through file groups, also through templates, and then through the file screens themselves, of identifying the files that you don’t want by file extension, by determining what you want to do when they appear, and then applying those to the locations that you want to ensure are screened out so that those files don’t appear.
A common example of those are, down here, under File Groups, where we have a list of just different kinds of files that are commonly thought of as perhaps not great files to exist on a file server. More often than not, the file server contains office documents or other artifacts, projects that need to be constrained in one location that people can access. But these other kinds of things, like audio and video files and backup files and executable files and image files, can sometimes be the extraneous kinds of data that you don’t want on that machine.
Let’s double-click on example Audio and Video File Group to open it and check how it looks like. Here we can see which extensions are included in this group which means that every extension in this list will be blocked when or if we apply this to the location via File Screen Templates. If we would like to exclude some of them we can do that as well by adding them to exclude.
If you would like to create a new File Group you can do it by right-clicking on File Groups and selecting Create File Group, or clicking on Create File Groups link in the action pane
Once you create the file group, then you go backwards through the file screen templates, which provides more of the logic associated with the type of file group that you don’t want on that machine.
Let’s double-click on Block Audio and Video Files Template
So here, the template block audio and video files, which is active, says that when there is an audio and video file, the file group that we’ve configured under the File Groups, go ahead and actually perform some activity. This is active screening, which is turned on. Do not allow users to save those unauthorized files in the location that we’d later tag this template to. Or, alternatively, just like before, we could use passive screening, where would allow the users to upload those files, but then send an alert in one or more forms to an administrator, to let them know what’s going on.
These same alerts can occur in just the same ways that we did before.
We can send an email message to the administrator or to the user who attempted to save the unauthorized file. We can configure an event log error, so that our warning message appears in the event log. We can also configure a command, PowerShell, VBSCript, or batch file that can execute whenever that person attempts to upload the file. And then also configure the report to generate the report, what’s going on in the machine, and perhaps email that to an administrator. So all of these, again, very similar to how things worked over in quota management, provide that mechanism to define the rules of what should happen when that file attempts to be uploaded onto to this machine.
Now, none of this actually does anything until up here at the top, where we actually apply the file screen using the template that we’ve created.
So let’s create a file screen. Right-Click on File Screens and select create file screen
Create File Screen windows will pop-up. Identify the path where you would like to apply this rule and just like before we can define where the properties are coming from, whether it be from one of the templates that we created, or we can click on Define custom file screen. One done click on create.
Here it is.
Now if I try to copy/move some mp3 file into that folder I will run into this.
It will also generate event in Event Viewer.
As we can see here this rule will apply to all users. If you would like to make an exception and let for example admins or some other user to save mp3 files you would need to create File Screen Exception.
A file screen exception is a special type of file screen that overrides any file screening that would otherwise apply to a folder and all its subfolders in a designated exception path. That is, it creates an exception to any rules derived from a parent folder.
OBS!!! You cannot create a file screen exception on a parent folder where a file screen is already defined. You must assign the exception to a subfolder or make changes to the existing file screen. What this means is if you exclude mp3 from template that is already applied to a folder you will remove block for every user and every user will be able to save mp3 files to that folder. What you need to do is to create a new sub-folder/our use an existing one, configure permissions so that you choose who will be able to see that folder and access it and create new File Group
I created sub-folder Admins. Then I right-clicked on File Screens and selected Create File Screen Exception. When you add the path you will need to click on Create. There I created new File Group and included *.mp3 so that admins can save mp3 into that folder which is within Screens folder.
The main gist of what I’m trying to show you here is that in all of these cases, it’s best to start really at the bottom and work your way up. Doing so allows you to create all the policies that then, like the layers of an onion, fold into each other to ultimately create the file screen you applied at that location.
Right-Click on FSRM Server and select Configure Options –> Access-Denied Assistance Tab
This Access-Denied Assistance tab allows me to turn on access-denied assistance and then to provide the user with the following message if they’ve been denied access to folder for one reason or another. I could add any information I want in here, too, I can customize this or any other information that is important so that when the user gets denied access to the file, they know what to do. When that user gets denied access to the file, there is also the ability to configure what are called email requests.
Click on Configure email requests
Now this email request assistance allows the user to send an email to a specific recipient list here, a little button appears in the dialog box that shows up when the user is denied that includes information about the Folder owner and the Administrator and then this text at the end of the email. It could also generate an event log entry for each email sent. Essentially what this means is that when the user gets that access denied message and they see that there is a problem, they have the ability to request further assistance by generating an email message.
Obviously in order for this to work, you’ll have to have your email settings configured under Email Notifications with an appropriate SMTP server and where the default email settings should go, but this gives those users just a little bit of extra information about why they got denied and the ability to request further assistance.
You can also click on Preview Button to see how the Error Message will look like
That’s it. In the next part we will take a look at
- Configure reports
- Classification Management
- Configure file management tasks
Thanks for reading!