- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
File Screening is one of my favorite features in FSRM. One of the biggest challenges in running a file server is keeping certain kinds of files off your file server. Typically those are things like mp3 (and other digital music) files, video files, and executables just to name a few. With File Screening, you can control what file types can be saved to folders on your file server. There are two types of File Screens: active and passive. Active screening blocks configured file types from being saved to the folder and sub-folders. Passive screening allows the configured file types to be saved, but performs actions like logging or email notifications and can be useful for monitoring.
Creating a File Screen
In the FSRM administrative tool, go to File Screening Management, File Screens, and click on Create New File Screen.
Create File Screen
Like Quota Management, Microsoft recommends using templates for setting up File Screens. In our example, we’ll block users from storing executable files in their home directories. Set the file screen path and choose a template. Click Create to create the file screen.
File screen path and template
Editing the File Screen Properties lets us go in and customize the file screen further. With this particular template, the Screening type has been set to Active meaning that users will not be able to copy any file classified as executable into this path. (Note: this applies to everyone… even users with Administrator rights. If you’re setting an Active file screen, be really sure that is what you want to do.)
File Screen Properties
The E-mail Message tab lets you set a customized message that can be sent to the user (and a server administrator if you desire) that is trying to copy the screened file to the file server. Like Quotas, I highly recommend translating this into something your end users will understand; the built-in messages don’t always make sense to end users.
E-mail message tab
I also recommend leaving the e-mail notifications enabled instead of relying on the built-in error messages that will be generated by Windows on their computers. End users will receive a very basic “Destination Folder Access Denied” error that will tell them “You need permission to perform this action.” If you’re a larger organization, your help desk or frontline support is going to think they’re dealing with a permissions problem unless you’ve provided them with adequate troubleshooting steps and documentation.
Exceptions
You’re always going to have those times where the rule that applies to everyone needs an exception. In those situations, File Screening has the ability to crea
Destination Folder Access Denied
te exceptions for sub-folders. In the FSRM administrative tool, highlight the file screen you want to modify and then click Create File Screen Exception.
Create File Screen Exception
Choose your Exception path, choose the file group that should be excluded for this sub-folder, and then click OK. That’s it!
File Screen Exception - Executable files
File Groups
The pre-defined File Groups that are built-in to FSRM are… lacking to say the least. In my earlier example, I blocked executable files from user folders on the file server. The problem is that this also blocked .ps1 (PowerShell scripts), .js (JavaScript), and .vbs (VB scripts) from user folders. Oops, huh? If you have any sysadmins or web developers using those folders, you’ve got a problem. Let’s take another file group: Audio and Video Files. First off, why are these together and not two separate groups? Second, there are several file types missing. The most glaring are .m4a and .m4v files that are used by iTunes. Oops again.
Pre-defined File Groups in FSRM
Needless to say, you’ll probably want to edit the existing File Groups or even create your own that fit your organization’s needs.
File Content
There’s one last gotcha you’ll want to know about File Screening. File Screening only looks at the name of the file and not the content of the file. So, if you block “Audio and Video Files,” File Screening won’t block .mp3 files that have their extension changed to something else. Honestly, I’ve never encountered someone that did this to circumvent File Screening, but it is still something you’ll want to be aware of before you implement File Screening.
In my next post I will cover storage reports.
the only real problem with file screening is the fact that you cannot setup multiple screens for the same path. for instance. I have all my users home folders on the same drive. I setup a screen to passively watch that drive for .mp3 files. now I want to set up an active screen to block .pst files but I can’t cause the passive file screen is already in place.
i know it is an old post , but still on top in google searches.The same way i got here.So i think a comment would be appropriate.
I had the same Problem.I wanted to have both an active and a passive filescreen on a drive.As a work around since you are not permitted to use the same path e.g "d:\" on the file screen properties, you can take advantage of absolute paths.
For example setting the passive filescreen on "d:\users" and the active on "d:\" .BUT i cannot guarantee how much (if any) disk overhead will bring this.
Any idea what permissions are required to manage the File screening on a server?
We currently have a Help Desk technician with Administrator access to the primary file server in order to add File screening exceptions. Obviously, this is not ideal.
I’m fairly certain you have to be a local Administrator, but you’re welcome to play around with it and see if you can make it work without that high level of rights.
That said, you either trust your employees or you don’t. If you don’t a Help Desk tech with local Administrator, then you don’t trust them and a Level 2 or 3 engineer should be managing it.
Any ideas of how many file screen rules can be created?
How to open FSRM window from Run or Command line ?
Sir
We are getting following error when trying to add file screen to a folder
" Can't create file screen in the given path as a file screen already exist for that path"
But in FSRM list this path is not showing
Please guide
Regards,
Anand Dhouni