How to Set Up a File Server on Windows Server 2016

How to Configure Windows Server 2016 File Server

Windows Server 2016 includes a robust set of file server features under the File and Storage Services role. A file server provides centralized storage for shared folders, enabling users and applications to access files over the network. This guide covers installing the File Server role, creating SMB shares, configuring permissions, enabling quotas and file screening using File Server Resource Manager (FSRM), and monitoring share access.

Step 1: Install the File Server Role

# Install File Server role and FSRM (File Server Resource Manager)
Install-WindowsFeature -Name FS-FileServer, FS-Resource-Manager -IncludeManagementTools

# Verify installation
Get-WindowsFeature -Name FS-FileServer, FS-Resource-Manager | Select-Object Name, InstallState

Step 2: Create a Shared Folder

Create the folder on disk and then configure it as an SMB network share:

# Create the directory on the D: drive (or another data volume)
New-Item -ItemType Directory -Path "D:SharesCompanyData" -Force
New-Item -ItemType Directory -Path "D:SharesCompanyDataFinance" -Force
New-Item -ItemType Directory -Path "D:SharesCompanyDataHR" -Force

# Create an SMB share with full control for Everyone at the share level
New-SmbShare -Name "CompanyData" -Path "D:SharesCompanyData" `
    -Description "Company shared data" `
    -FullAccess "Domain Admins" `
    -ChangeAccess "Domain Users" `
    -ReadAccess "Everyone"

# List all current shares
Get-SmbShare | Select-Object Name, Path, Description

Step 3: Configure NTFS Permissions

NTFS permissions provide granular, file-level access control in addition to share-level permissions. The effective access a user has is the intersection of share and NTFS permissions — the more restrictive of the two applies:

# View current NTFS permissions on the folder
Get-Acl -Path "D:SharesCompanyData" | Format-List

# Grant Modify permission to the Finance group on the Finance subfolder
$acl = Get-Acl -Path "D:SharesCompanyDataFinance"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("CORPFinance_Users","Modify","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path "D:SharesCompanyDataFinance" -AclObject $acl

# Deny access to a specific user
$denyRule = New-Object System.Security.AccessControl.FileSystemAccessRule("CORPTempUser","FullControl","ContainerInherit,ObjectInherit","None","Deny")
$acl = Get-Acl -Path "D:SharesCompanyDataFinance"
$acl.AddAccessRule($denyRule)
Set-Acl -Path "D:SharesCompanyDataFinance" -AclObject $acl

Step 4: Configure Shadow Copies (Previous Versions)

Shadow Copies allow users to recover previous versions of files without administrator involvement:

# Enable Shadow Copies on the D: drive
# First, check if Volume Shadow Copy Service is running
Get-Service VSS | Select-Object Status

# Enable shadow copies via vssadmin (scheduled twice daily by default)
vssadmin add shadowstorage /for=D: /on=D: /maxsize=10GB

# Create a shadow copy immediately
vssadmin create shadow /for=D:

# List existing shadow copies
vssadmin list shadows /for=D:

# Schedule shadow copies (using Task Scheduler for 7am and 12pm)
$taskAction = New-ScheduledTaskAction -Execute "vssadmin.exe" -Argument "create shadow /for=D:"
$taskTrigger1 = New-ScheduledTaskTrigger -Daily -At "07:00AM"
$taskTrigger2 = New-ScheduledTaskTrigger -Daily -At "12:00PM"
Register-ScheduledTask -TaskName "Shadow Copy D 7AM" -Action $taskAction -Trigger $taskTrigger1 -RunLevel Highest
Register-ScheduledTask -TaskName "Shadow Copy D 12PM" -Action $taskAction -Trigger $taskTrigger2 -RunLevel Highest

Step 5: Configure Disk Quotas Using FSRM

File Server Resource Manager quotas limit the amount of disk space users or folders can consume:

# Create a quota on the Finance share folder (1 GB hard limit)
New-FsrmQuota -Path "D:SharesCompanyDataFinance" `
    -Description "Finance folder 1GB limit" `
    -Size 1GB

# Create a soft quota (warning only, no enforcement)
New-FsrmQuotaTemplate -Name "200MB Warning" -Size 200MB -SoftLimit $true

# Apply the template to a folder
New-FsrmQuota -Path "D:SharesCompanyDataHR" -Template "200MB Warning"

# View all quotas
Get-FsrmQuota

Step 6: Configure File Screening

File screening blocks users from saving certain file types (such as MP3s or executables) to shared folders:

# Create a file screen to block audio and video files
New-FsrmFileScreen -Path "D:SharesCompanyData" `
    -Description "Block multimedia files" `
    -IncludeGroup @("Audio and Video Files") `
    -Active $true

# List existing file screen groups
Get-FsrmFileGroup

# View active file screens
Get-FsrmFileScreen

Step 7: Manage SMB Share Access

# View connected sessions to shares
Get-SmbSession | Select-Object ClientComputerName, ClientUserName, NumOpens

# View open files
Get-SmbOpenFile | Select-Object ClientComputerName, ClientUserName, Path

# Close all open files for a specific user (useful before maintenance)
Get-SmbOpenFile | Where-Object { $_.ClientUserName -like "CORPjdoe" } | Close-SmbOpenFile -Force

# Modify share permissions
Set-SmbShareAccess -Name "CompanyData" -AccountName "CORPFinance_Users" -AccessRight Full -Force

# Remove a user from share access
Revoke-SmbShareAccess -Name "CompanyData" -AccountName "CORPTempUser" -Force

Step 8: Enable Access-Based Enumeration

Access-Based Enumeration (ABE) hides folders and files that a user does not have permission to read, reducing confusion and improving security:

# Enable ABE on the CompanyData share
Set-SmbShare -Name "CompanyData" -FolderEnumerationMode AccessBased

# Verify
Get-SmbShare -Name "CompanyData" | Select-Object Name, FolderEnumerationMode

Step 9: Generate FSRM Storage Reports

# Generate a storage report for large files
New-FsrmStorageReport `
    -Name "Large Files Report" `
    -Namespace @("D:Shares") `
    -ReportType LargeFiles `
    -Interactive $true

# Generate a duplicate files report
New-FsrmStorageReport `
    -Name "Duplicate Files Report" `
    -Namespace @("D:Shares") `
    -ReportType DuplicateFiles `
    -Interactive $true

The Windows Server 2016 File Server is now configured with shared folders, proper NTFS permissions, shadow copies for version history, disk quotas to manage storage consumption, and file screening to block undesired file types. Access-Based Enumeration improves the user experience by hiding inaccessible content. This configuration provides a secure, well-managed file sharing environment for your organization.