How to Configure FSRM File Server Resource Manager on Windows Server 2025
File Server Resource Manager (FSRM) is a built-in Windows Server role service that gives administrators fine-grained control over storage consumption, file types, and reporting on file shares. With FSRM you can enforce disk quotas to prevent users from exhausting share capacity, block prohibited file types such as personal media files or ransomware extensions, schedule automated storage reports delivered by email, and classify files automatically for data governance. Windows Server 2025 ships FSRM with enhanced classification integration and improved PowerShell support through the FileServerResourceManager module. This tutorial covers the complete FSRM implementation from role installation through production-ready quota enforcement, file screening, classification, and scheduled reporting.
Prerequisites
- Windows Server 2025 (Standard or Datacenter) with the File Server role installed
- One or more file shares already created on a non-system volume (e.g.,
E:Shares) - Domain membership (recommended for AD-integrated classification rules)
- An SMTP relay accessible from the server for email notifications
- Administrator rights on the server
- PowerShell 5.1+ with execution policy allowing local scripts
Step 1: Install the FSRM Role Service
FSRM is a sub-feature of the File and Storage Services role. Install it along with the management tools, which provide both the MMC snap-in (fsrm.msc) and the PowerShell module.
# Install FSRM role service with management tools
Install-WindowsFeature `
-Name FS-Resource-Manager `
-IncludeManagementTools `
-Restart:$false
# Verify installation
Get-WindowsFeature FS-Resource-Manager |
Select-Object Name, DisplayName, InstallState
# Import the FSRM PowerShell module
Import-Module FileServerResourceManager
# Confirm the module is available
Get-Command -Module FileServerResourceManager | Measure-Object | Select-Object Count
# Open the FSRM MMC console (GUI)
# fsrm.msc — run interactively if needed
Step 2: Configure FSRM Email Notifications
Before creating quotas, file screens, or reports, configure the SMTP settings so FSRM can send notification emails when thresholds are breached. All email notifications across FSRM share these global settings.
Import-Module FileServerResourceManager
# Configure the global FSRM email settings
Set-FsrmSetting `
-SmtpServer "smtp.contoso.local" `
-MailFrom "[email protected]" `
-AdminEmailAddress "[email protected]" `
-FromEmailAddress "[email protected]"
# Set global email throttle — minimum minutes between repeat notifications
Set-FsrmSetting -CommandNotificationLimit 60
# Test the SMTP configuration
Send-FsrmTestEmail `
-ToEmailAddress "[email protected]"
# Verify current FSRM global settings
Get-FsrmSetting | Select-Object SmtpServer, MailFrom, AdminEmailAddress, CommandNotificationLimit
Step 3: Create Quota Templates
Quota templates define reusable quota policies (size, hard/soft enforcement, notification thresholds) that you apply to directories. Creating templates first ensures consistency and makes bulk management easy.
Import-Module FileServerResourceManager
# --- Template 1: 200 MB soft quota with warning at 85% and 95% ---
New-FsrmQuotaTemplate `
-Name "200 MB Limit" `
-Description "200 MB user home folder quota with soft enforcement" `
-Size 200MB `
-SoftLimit $true
# Add a threshold notification at 85% usage
$action85 = New-FsrmAction `
-Type Email `
-MailTo "[Source Io Owner Email]" `
-MailCC "[email protected]" `
-Subject "Warning: Storage Quota at 85% for [Quota Path]" `
-Body "Your home folder ([Quota Path]) is [Quota Used Percent]% full ([Quota Used] of [Quota Limit] used). Please remove unnecessary files."
New-FsrmQuotaTemplateAction `
-Template "200 MB Limit" `
-Threshold 85 `
-Action $action85
# Add a threshold notification at 95% usage
$action95 = New-FsrmAction `
-Type Email `
-MailTo "[Source Io Owner Email]" `
-MailCC "[email protected]" `
-Subject "ALERT: Storage Quota at 95% for [Quota Path]" `
-Body "CRITICAL: Your home folder ([Quota Path]) is [Quota Used Percent]% full. Quota enforcement will begin at 100%. Please take immediate action."
New-FsrmQuotaTemplateAction `
-Template "200 MB Limit" `
-Threshold 95 `
-Action $action95
# --- Template 2: 10 GB hard quota for project shares ---
New-FsrmQuotaTemplate `
-Name "10 GB Project Hard Limit" `
-Description "10 GB hard quota for project folders — writes blocked at 100%" `
-Size 10GB `
-SoftLimit $false # Hard limit — disk writes rejected when full
$actionHard = New-FsrmAction `
-Type Email `
-MailTo "[email protected]" `
-Subject "HARD QUOTA REACHED: [Quota Path]" `
-Body "The project folder [Quota Path] has reached its 10 GB hard limit. Users cannot write new data. Current usage: [Quota Used] / [Quota Limit]."
New-FsrmQuotaTemplateAction `
-Template "10 GB Project Hard Limit" `
-Threshold 100 `
-Action $actionHard
# List quota templates
Get-FsrmQuotaTemplate | Select-Object Name, Size, SoftLimit | Format-Table
Step 4: Apply Quotas to Directories
Apply quota templates to specific paths. You can apply a quota to a parent directory and use auto-apply quotas to automatically enforce the quota on all current and future subdirectories (ideal for per-user home folders).
Import-Module FileServerResourceManager
# Apply a standard quota to a single directory
New-FsrmQuota `
-Path "E:SharesProjectsProjectAlpha" `
-Template "10 GB Project Hard Limit" `
-Description "Hard quota for Project Alpha team folder"
# Apply an auto-apply quota to the Users home folder tree
# This creates individual quotas for every existing and new subfolder
New-FsrmAutoQuota `
-Path "E:SharesUsers" `
-Template "200 MB Limit" `
-Enabled $true
# List all active quotas
Get-FsrmQuota | Select-Object Path, SoftLimit, Size,
@{n="UsedGB";e={[math]::Round($_.QuotaUsed/1GB,2)}},
@{n="LimitGB";e={[math]::Round($_.Size/1GB,2)}},
@{n="UsedPct";e={[math]::Round(($_.QuotaUsed/$_.Size)*100,1)}} |
Format-Table
# List auto-apply quotas
Get-FsrmAutoQuota | Select-Object Path, Template, Enabled
# Update an existing quota's size without changing the template
Set-FsrmQuota `
-Path "E:SharesProjectsProjectAlpha" `
-Size 20GB
# Get current usage for a specific quota
$q = Get-FsrmQuota -Path "E:SharesProjectsProjectAlpha"
Write-Host "Project Alpha: $([math]::Round($q.QuotaUsed/1MB,1)) MB used of $([math]::Round($q.Size/1GB,1)) GB ($([math]::Round(($q.QuotaUsed/$q.Size)*100,1))%)"
Step 5: Create File Screen Templates and File Groups
File screens block prohibited file types from being saved to a share. First create a File Group (a named list of file extensions), then create a File Screen Template using that group, and finally apply the screen to a path.
Import-Module FileServerResourceManager
# --- File Group: Personal Media Files ---
New-FsrmFileGroup `
-Name "Personal Media Files" `
-Description "Audio, video, and image files not permitted on business file shares" `
-IncludePattern @(
"*.mp3", "*.mp4", "*.avi", "*.mkv", "*.mov", "*.wmv", "*.flac",
"*.wav", "*.ogg", "*.m4a", "*.aac", "*.webm", "*.m4v", "*.3gp"
)
# --- File Group: Ransomware Extensions ---
# Common extensions used by ransomware for encrypted files
New-FsrmFileGroup `
-Name "Ransomware Extensions" `
-Description "Known ransomware file extensions — block immediately" `
-IncludePattern @(
"*.encrypted", "*.locky", "*.zepto", "*.cerber", "*.cryptolocker",
"*.wannacry", "*.wnry", "*.wncry", "*.wcry", "*.crypt", "*.enc",
"*.locked", "*.crypted", "*.cryp1", "*.crypz", "*.vault"
)
# --- File Screen Template: Block Media on Business Shares ---
$mediaBlockAction = New-FsrmAction `
-Type Email `
-MailTo "[email protected]" `
-MailCC "[Source Io Owner Email]" `
-Subject "Blocked: Unauthorized file type on [Violated File Screen Path]" `
-Body "A prohibited file was blocked on the file server.`nFile: [Source File Path]`nUser: [Source Io Owner]`nShare: [Violated File Screen Path]`nTime: [Local Time]"
New-FsrmFileScreenTemplate `
-Name "Block Media Files" `
-Description "Block personal media files on business file shares" `
-Active $true `
-IncludeGroup @("Personal Media Files") `
-Notification @($mediaBlockAction)
# --- File Screen Template: Block Ransomware Extensions (Active — immediate block) ---
$ransomwareAction = New-FsrmAction `
-Type Email `
-MailTo "[email protected]" `
-Subject "SECURITY ALERT: Ransomware extension detected on [Violated File Screen Path]" `
-Body "POTENTIAL RANSOMWARE ACTIVITY DETECTED.`n`nFile: [Source File Path]`nUser: [Source Io Owner]`nPath: [Violated File Screen Path]`nTime: [Local Time]`n`nImmediate investigation required."
New-FsrmFileScreenTemplate `
-Name "Block Ransomware Extensions" `
-Description "Block known ransomware file extensions" `
-Active $true `
-IncludeGroup @("Ransomware Extensions") `
-Notification @($ransomwareAction)
# List file groups and templates
Get-FsrmFileGroup | Select-Object Name, @{n="Extensions";e={($_.IncludePattern -join ", ")}}
Get-FsrmFileScreenTemplate | Select-Object Name, Active
Step 6: Apply File Screens to Shares
Apply file screen templates to the share paths you want to protect. Like quotas, file screens can be applied individually or as auto-apply templates that propagate to subdirectories.
Import-Module FileServerResourceManager
# Apply media block file screen to the main company share
New-FsrmFileScreen `
-Path "E:SharesCompanyData" `
-Template "Block Media Files" `
-Active $true
# Apply ransomware extension screen to ALL shares (critical security measure)
$sharePaths = @(
"E:SharesCompanyData"
"E:SharesProjects"
"E:SharesUsers"
"E:SharesDepartments"
)
foreach ($path in $sharePaths) {
if (Test-Path $path) {
New-FsrmFileScreen `
-Path $path `
-Template "Block Ransomware Extensions" `
-Active $true
Write-Host "Ransomware file screen applied to: $path"
}
}
# Create a file screen exception to allow a specific application to write .enc files
# (e.g., a backup application that uses .enc extension legitimately)
New-FsrmFileScreenException `
-Path "E:SharesCompanyDataBackups" `
-IncludeGroup @("Ransomware Extensions")
# List all active file screens
Get-FsrmFileScreen | Select-Object Path, Template, Active | Format-Table
Step 7: Configure Storage Reports
FSRM can generate detailed reports on storage consumption, file types, ownership, large files, and duplicate files. Schedule reports to run automatically and email the results to administrators.
Import-Module FileServerResourceManager
# Create an on-demand storage report (runs immediately)
New-FsrmStorageReport `
-Name "Weekly Storage Audit" `
-Namespace @("E:Shares") `
-ReportType @(
"LargeFiles"
"FilesByType"
"FilesByOwner"
"DuplicateFiles"
"LeastRecentlyAccessed"
) `
-MailTo "[email protected]" `
-Schedule (New-FsrmScheduledTask -Time "23:00:00" -Weekly -Day @("Sunday")) `
-Interactive $false
# Configure the LargeFiles report minimum size threshold (50 MB+)
$reportParams = @{
ReportType = "LargeFiles"
MinimumFileSize = 50MB
}
# Run a report immediately for testing
Start-FsrmStorageReport `
-Name "Weekly Storage Audit" `
-Queue
# Check the report status
Get-FsrmStorageReport -Name "Weekly Storage Audit" |
Select-Object Name, Status, LastRun, NextRun, ReportType
# Reports are saved to: C:StorageReportsInteractive (on-demand)
# and C:StorageReportsScheduled (scheduled reports)
$defaultReportPath = (Get-FsrmSetting).ReportLocationScheduled
Write-Host "Scheduled reports saved to: $defaultReportPath"
# Change the report output directory
Set-FsrmSetting `
-ReportLocationScheduled "D:FSRMReportsScheduled" `
-ReportLocationIncident "D:FSRMReportsIncidents" `
-ReportLocationOnDemand "D:FSRMReportsOnDemand"
Step 8: Custom Classification Rules
FSRM’s File Classification Infrastructure (FCI) can automatically tag files with properties based on content, name patterns, or location, enabling downstream data governance actions.
Import-Module FileServerResourceManager
# Create a custom classification property for data sensitivity
New-FsrmClassificationPropertyDefinition `
-Name "Confidentiality" `
-DisplayName "Data Confidentiality Level" `
-Type "SingleChoice" `
-PossibleValue @(
(New-FsrmClassificationPropertyValue -Name "Public" -Description "Non-sensitive, publicly shareable data"),
(New-FsrmClassificationPropertyValue -Name "Internal" -Description "Internal use only"),
(New-FsrmClassificationPropertyValue -Name "Confidential" -Description "Business confidential data"),
(New-FsrmClassificationPropertyValue -Name "Restricted" -Description "Highly sensitive — restricted access")
)
# Create a classification rule: tag files in the Finance folder as Confidential
New-FsrmClassificationRule `
-Name "Finance Folder Classification" `
-Description "Classify all files in Finance share as Confidential" `
-Namespace @("E:SharesDepartmentsFinance") `
-Property "Confidentiality" `
-PropertyValue "Confidential" `
-ClassificationMechanism "Folder" `
-Enabled $true `
-ReevaluateProperty "Overwrite"
# Create a rule: classify files containing SSN pattern as Restricted
New-FsrmClassificationRule `
-Name "SSN Content Classification" `
-Description "Files containing SSN patterns marked as Restricted" `
-Namespace @("E:Shares") `
-Property "Confidentiality" `
-PropertyValue "Restricted" `
-ClassificationMechanism "Content Classifier" `
-Parameters @("StringEx=Min=1;Expr=bd{3}-d{2}-d{4}b") `
-Enabled $true
# Run classification on the namespace
Start-FsrmClassification -RunDuration 02:00:00
# Check classification job status
Get-FsrmClassification | Select-Object Status, LastError, ClassificationReportFormats
# List files with their classification properties
Get-FsrmFileManagementJob | Select-Object Name, Status, LastRun
# Query classified files using PowerShell (after classification runs)
Get-Item "E:SharesDepartmentsFinance*" |
ForEach-Object {
$prop = $_.GetAccessControl().GetType() # placeholder
[PSCustomObject]@{
File = $_.Name
LastModified = $_.LastWriteTime
SizeKB = [math]::Round($_.Length/1KB, 1)
}
} | Format-Table
Step 9: File Management Jobs (Expiration and Archiving)
FSRM File Management Jobs automate lifecycle actions on classified files—such as moving files older than 365 days to an archive location or expiring files with the “Public” classification after 90 days.
Import-Module FileServerResourceManager
# Create a file expiration job: move files not accessed in 12 months to archive
New-FsrmFileManagementJob `
-Name "Archive Stale Files" `
-Description "Move files not accessed in 365 days to E:Archive" `
-Namespace @("E:SharesCompanyData") `
-Action (New-FsrmFmjAction -Type Expiration -ExpirationFolder "E:Archive") `
-Schedule (New-FsrmScheduledTask -Time "01:00:00" -Weekly -Day @("Saturday")) `
-Condition @(
(New-FsrmFmjCondition -Property "File.DateLastAccessed" -Condition "LessThan" -Value "365")
) `
-Enabled $true `
-ReportFormat @("DHTML", "CSV") `
-MailTo "[email protected]"
# List file management jobs
Get-FsrmFileManagementJob | Select-Object Name, Enabled, Status, LastRun, NextRun
# Run the job immediately in report-only mode (no files moved)
Start-FsrmFileManagementJob -Name "Archive Stale Files" -WhatIf
Conclusion
File Server Resource Manager on Windows Server 2025 provides a comprehensive storage governance toolkit that operates entirely from the server side without requiring changes to client applications. Quota templates enforce per-user and per-project storage limits with graduated email warnings before hard limits are reached, file screen templates block prohibited extensions—including known ransomware signatures—before they can spread across shares, storage reports deliver weekly automated audits of large files, file types, and ownership to keep administrators informed of consumption trends, and the File Classification Infrastructure automatically tags sensitive content for downstream data loss prevention and retention enforcement. By combining all of these capabilities and integrating FSRM email notifications with your help desk and security operations workflows, you establish a proactive storage management posture that reduces runaway consumption, mitigates ransomware impact, and maintains compliance with data retention policies across your entire file server estate.
