How to Configure FSRM File Server Resource Manager on Windows Server 2022
File Server Resource Manager (FSRM) is a built-in Windows Server role service that provides tools for managing and classifying data stored on file servers. FSRM enables administrators to enforce storage quotas on folders and volumes, block certain file types from being stored, generate storage reports, and automatically classify files using metadata rules. On Windows Server 2022, FSRM is particularly valuable for enforcing storage policies, detecting ransomware through file screen event monitoring, and maintaining organizational data governance without third-party tools.
Installing FSRM
FSRM is a role service within the File and Storage Services server role. Install it using Server Manager or PowerShell:
# Install FSRM with management tools
Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools
# Verify installation
Get-WindowsFeature -Name FS-Resource-Manager | Select-Object Name, InstallState
# Confirm the FSRM service is running
Get-Service -Name SrmSvc | Select-Object Name, Status, StartType
# Open the FSRM console (File Server Resource Manager MMC)
fsrm.msc
After installation, configure the FSRM SMTP settings for email notifications. FSRM can send alerts when quotas are exceeded, file screens block saves, and reports complete:
# Configure FSRM email settings
Set-FsrmSetting `
-SmtpServer "smtp.company.com" `
-AdminEmailAddress "[email protected]" `
-FromEmailAddress "[email protected]"
# Verify SMTP configuration
Get-FsrmSetting | Select-Object SmtpServer, AdminEmailAddress, FromEmailAddress
# Send a test email to verify SMTP connectivity
Send-FsrmTestEmail -SmtpServer "smtp.company.com" -ToEmailAddress "[email protected]"
Quota Management
FSRM quotas limit the amount of disk space a folder can use. A hard quota enforces the limit — users receive an error when they attempt to save a file that would exceed it. A soft quota tracks usage and generates notifications but does not block writes. Quotas can be applied to individual folders or inherited from quota templates.
Create quota templates first so that consistent policies can be applied across many folders:
# Create a quota template for user home directories (10 GB hard quota)
New-FsrmQuotaTemplate `
-Name "User Home Directory 10GB" `
-Description "10 GB hard quota for user home directories" `
-Size 10GB `
-SoftLimit $false
# Add a warning threshold at 85% - send email notification
$emailAction = New-FsrmAction `
-Type Email `
-MailTo "[Admin Email]" `
-Subject "Quota Warning: [Quota Path] has reached [Quota Threshold]%" `
-Body "User [IO User] has used [Quota Used MB] MB of the [Quota Limit MB] MB limit on [Quota Path]. Current usage is [Quota Threshold]%."
$warnThreshold = New-FsrmQuotaThreshold -Percentage 85 -Action $emailAction
# Add a second threshold at 95% - send email and log an event
$eventAction = New-FsrmAction `
-Type Event `
-EventType Warning `
-Body "Quota on [Quota Path] has reached [Quota Threshold]% of [Quota Limit MB] MB"
$critThreshold = New-FsrmQuotaThreshold -Percentage 95 -Action $emailAction, $eventAction
New-FsrmQuotaTemplate `
-Name "User Home Directory 10GB" `
-Description "10 GB hard quota for user home directories with notifications" `
-Size 10GB `
-SoftLimit $false `
-Threshold $warnThreshold, $critThreshold
# Apply the quota template to a folder
New-FsrmQuota `
-Path "D:UserHomes" `
-Template "User Home Directory 10GB"
Apply a quota directly without a template (useful for one-off folder limits):
# Apply a 50 GB soft quota to the archive folder with no blocking
New-FsrmQuota `
-Path "D:Archive" `
-Size 50GB `
-SoftLimit $true `
-Description "Soft quota monitor for archive folder"
# Apply a quota to all user home folders automatically using auto-apply
New-FsrmAutoQuota `
-Path "D:UserHomes" `
-Template "User Home Directory 10GB"
# Check current quota usage
Get-FsrmQuota -Path "D:UserHomes" | Select-Object Path, Size, Usage, PeakUsage, SoftLimit
# List all quotas and their usage across the server
Get-FsrmQuota | Select-Object Path, Size, Usage, SoftLimit | Sort-Object Usage -Descending
# Update an existing quota size
Set-FsrmQuota -Path "D:UserHomesjdoe" -Size 20GB
File Screening
File screens block or monitor specific file types from being saved to a folder. An active file screen prevents the blocked file types from being written and optionally sends notifications. A passive file screen logs the event but allows the write. FSRM includes built-in file group definitions (Audio and Video Files, Executable Files, Image Files, Backup Files, etc.) and templates that combine file groups with actions.
# List built-in file screen templates
Get-FsrmFileScreenTemplate | Select-Object Name, Active, IncludeGroup
# List available file groups
Get-FsrmFileGroup | Select-Object Name, IncludePattern
# View the file group for Executable Files
Get-FsrmFileGroup -Name "Executable Files" | Select-Object -ExpandProperty IncludePattern
# Create a file screen on the Finance share to block audio/video files
New-FsrmFileScreen `
-Path "D:SharesFinance" `
-Template "Block Audio and Video Files" `
-Active $true
# Create a custom file group for ransomware-related extensions
New-FsrmFileGroup `
-Name "Ransomware Extensions" `
-IncludePattern @(
"*.locky", "*.zepto", "*.odin", "*.aesir", "*.thor",
"*.zzzzz", "*.cryptolocker", "*.micro", "*.vault",
"*.encrypted", "*.cry", "*.locked", "*.cerber",
"*.wallet", "*.dharma", "*.wncry", "*.WNCRYPT",
"*.wcry", "*.onion", "*.petya", "*.wannacry",
"READ_ME_TO_DECRYPT*", "HELP_RECOVER*", "!DECRYPT*",
"DECRYPT_INSTRUCTION*", "HOW_TO_RESTORE*", "_HELP_instructions*",
"RECOVERY_FILE*", "*ransom*"
)
# Create a file screen template to block and alert on ransomware extensions
$emailRansom = New-FsrmAction `
-Type Email `
-MailTo "[Admin Email]" `
-Subject "RANSOMWARE ALERT: Blocked file on [File Screen Path]" `
-Body "A file matching ransomware patterns was blocked on [Server Name].nnFile: [Violated File Path]nUser: [IO Domain][IO User]nProcess ID: [IO Process ID]nTime: [File Screen Event Time]nnImmediate action recommended - isolate [Server Name]."
$eventRansom = New-FsrmAction `
-Type Event `
-EventType Error `
-Body "Ransomware file blocked: [Violated File Path] by [IO Domain][IO User]"
$commandRansom = New-FsrmAction `
-Type Command `
-Command "C:ScriptsIsolateServer.ps1" `
-CommandParameters "" `
-RunLimitInterval 60
New-FsrmFileScreenTemplate `
-Name "Block Ransomware Extensions" `
-Active $true `
-IncludeGroup "Ransomware Extensions" `
-Notification $emailRansom, $eventRansom
# Apply ransomware file screen to all user-accessible shares
New-FsrmFileScreen -Path "D:Shares" -Template "Block Ransomware Extensions" -Active $true
New-FsrmFileScreen -Path "D:UserHomes" -Template "Block Ransomware Extensions" -Active $true
Ransomware Detection Strategy with FSRM
File screens provide early ransomware detection by blocking known ransomware file extensions before encryption spreads. The command action in a file screen template can execute a PowerShell script that immediately disables the offending user account, disconnects their SMB sessions, and sends an alert. This automated response can contain an incident within seconds of the first blocked file.
# C:ScriptsIsolateRansomware.ps1 - called by FSRM file screen command action
param(
[string]$UserDomain = $env:FsrmIoDomain,
[string]$UserName = $env:FsrmIoUser,
[string]$FilePath = $env:FsrmViolatedFilePath,
[string]$ServerName = $env:ComputerName
)
$logPath = "C:LogsFSRM_Ransomware_$(Get-Date -Format 'yyyyMMdd_HHmmss').log"
"$(Get-Date) - Ransomware file blocked: $FilePath by $UserDomain$UserName on $ServerName" | Tee-Object $logPath
# Disable the user account in Active Directory
try {
Import-Module ActiveDirectory
$adUser = Get-ADUser -Identity $UserName -ErrorAction Stop
Disable-ADAccount -Identity $UserName
"$(Get-Date) - Disabled AD account: $UserName" | Add-Content $logPath
} catch {
"$(Get-Date) - Failed to disable AD account $UserName : $($_.Exception.Message)" | Add-Content $logPath
}
# Terminate the user's SMB sessions on this file server
$sessions = Get-SmbSession | Where-Object { $_.ClientUserName -like "*$UserName*" }
foreach ($session in $sessions) {
Close-SmbSession -SessionId $session.SessionId -Force
"$(Get-Date) - Closed SMB session: $($session.SessionId) for $($session.ClientUserName)" | Add-Content $logPath
}
# Send an immediate email alert
$mailParams = @{
SmtpServer = "smtp.company.com"
From = "[email protected]"
To = "[email protected]"
Subject = "CRITICAL: Ransomware detected on $ServerName"
Body = "Ransomware activity detected at $(Get-Date).nnBlocked file: $FilePathnUser: $UserDomain$UserNamenServer: $ServerNamennAccount $UserName has been disabled and SMB sessions terminated.nLog: $logPath"
}
Send-MailMessage @mailParams
Storage Reports
FSRM can generate detailed storage analysis reports that identify large files, duplicate files, files by type, files by owner, and quota usage. Reports can be generated on demand, scheduled to run periodically, or triggered by storage events. Reports output to HTML, XML, CSV, DHTML, and plain text formats.
# Generate an on-demand storage report for large files (> 100 MB) on D:Shares
New-FsrmStorageReport `
-Name "Large Files Report" `
-Namespace "D:Shares" `
-ReportType LargeFiles `
-LargeFileMinimum 104857600 `
-ReportFormat HTML, CSV `
-Interactive $true
# Generate a Files by Type report to see disk consumption by extension
New-FsrmStorageReport `
-Name "Files by Type" `
-Namespace "D:Shares" `
-ReportType FilesByType `
-ReportFormat HTML `
-Interactive $true
# Generate a quota usage report
New-FsrmStorageReport `
-Name "Quota Usage" `
-Namespace "D:" `
-ReportType QuotaUsage `
-ReportFormat HTML, CSV `
-Interactive $true
# Schedule a weekly storage report that runs every Sunday at 2 AM
$schedule = New-FsrmScheduledTask -Weekly -Day Sunday -Time "02:00"
New-FsrmStorageReport `
-Name "Weekly Storage Analysis" `
-Namespace "D:Shares", "D:UserHomes" `
-ReportType LargeFiles, FilesByType, LeastRecentlyAccessed `
-ReportFormat HTML, CSV `
-Schedule $schedule `
-MailTo "[email protected]"
# View generated reports
Get-ChildItem -Path "C:StorageReportsInteractive" -Filter "*.html" |
Sort-Object LastWriteTime -Descending | Select-Object -First 10
File Classification Infrastructure
File Classification Infrastructure (FCI) extends FSRM with automatic file classification based on content patterns, location, or age. FCI assigns classification properties (metadata tags) to files that can then be used in FSRM policies, Dynamic Access Control policies, and Rights Management Services.
# Create a classification property for data sensitivity
New-FsrmClassificationPropertyDefinition `
-Name "Sensitivity" `
-Type SingleChoice `
-PossibleValue @("Public", "Internal", "Confidential", "Restricted") `
-Description "Data sensitivity classification level"
# Create a classification rule that marks files containing credit card patterns as Restricted
New-FsrmClassificationRule `
-Name "Credit Card Data Detection" `
-Property "Sensitivity" `
-PropertyValue "Restricted" `
-Namespace "D:Shares" `
-ClassificationMechanism "Content Classifier" `
-Parameters @("StringEx=Min=1;Expr=b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13})b") `
-ReevaluateProperty Overwrite
# Create a rule that classifies files in the Finance folder as Confidential
New-FsrmClassificationRule `
-Name "Finance Folder Classification" `
-Property "Sensitivity" `
-PropertyValue "Confidential" `
-Namespace "D:SharesFinance" `
-ClassificationMechanism "Folder Classifier" `
-ReevaluateProperty Aggregate
# Run classification on demand
Start-FsrmClassification -RunDuration 0 # 0 = unlimited duration
# Check classification status
Get-FsrmClassification | Select-Object Status, LastError, LastReportPathWithoutExtension
# View classification properties assigned to a specific file
Get-FsrmFileManagementJob | Select-Object Name, Status
Get-Item "D:SharesFinanceQ1Budget.xlsx" |
Get-FileMetadataProperty -PropertyName "Sensitivity"
FSRM PowerShell Reference Summary
The following commands provide a quick reference for the most common FSRM administrative tasks on Windows Server 2022:
# --- Quota Commands ---
Get-FsrmQuota # List all quotas
Get-FsrmQuota -Path "D:SharesFinance" # Quota for specific path
New-FsrmQuota -Path "D:Data" -Size 100GB # Create quota
Set-FsrmQuota -Path "D:Data" -Size 200GB # Resize quota
Remove-FsrmQuota -Path "D:Data" # Remove quota
Get-FsrmQuotaTemplate # List templates
New-FsrmAutoQuota -Path "D:UserHomes" -Template "User Home Directory 10GB"
# --- File Screen Commands ---
Get-FsrmFileScreen # List all screens
New-FsrmFileScreen -Path "D:Shares" -Template "Block Audio and Video Files"
Set-FsrmFileScreen -Path "D:Shares" -Active $false # Disable screen
Remove-FsrmFileScreen -Path "D:Shares" # Remove screen
Get-FsrmFileScreenTemplate # List templates
Get-FsrmFileGroup # List file groups
# --- Storage Report Commands ---
Get-FsrmStorageReport # List scheduled reports
Start-FsrmStorageReport -Name "Large Files Report" # Run report now
Wait-FsrmStorageReport -Name "Large Files Report" # Wait for completion
# --- Classification Commands ---
Start-FsrmClassification # Run classification
Get-FsrmClassification # Get classification status
Get-FsrmClassificationPropertyDefinition # List classification properties
Get-FsrmClassificationRule # List classification rules
# --- Settings ---
Get-FsrmSetting # View all FSRM settings
Set-FsrmSetting -SmtpServer "smtp.company.com" # Update SMTP server
FSRM on Windows Server 2022 integrates with Windows Admin Center for a browser-based management experience, providing quota and file screen visibility alongside other storage management tasks without requiring RDP access or loading the FSRM MMC console. The combination of quotas, file screens, ransomware detection rules, and automated classification makes FSRM a comprehensive data governance layer that operates entirely within the Windows Server operating system without external agents.
