The File Server Resource Manager (FSRM) is a part of the File Services Role in Windows Server that gives you greater control over the data stored on your file servers. In this part, I’ll discuss controlling files that can be saved to your file server using File Screening.

File Screening is one of my favorite features in FSRM. One of the biggest challenges in running a file server is keeping certain kinds of files off your file server. Typically those are things like mp3 (and other digital music) files, video files, and executables just to name a few. With File Screening, you can control what file types can be saved to folders on your file server. There are two types of File Screens: active and passive. Active screening blocks configured file types from being saved to the folder and sub-folders. Passive screening allows the configured file types to be saved, but performs actions like logging or email notifications and can be useful for monitoring.

Creating a File Screen ^

In the FSRM administrative tool, go to File Screening Management, File Screens, and click on Create New File Screen.

Create File Screen

Create File Screen

Like Quota Management, Microsoft recommends using templates for setting up File Screens. In our example, we’ll block users from storing executable files in their home directories. Set the file screen path and choose a template. Click Create to create the file screen.

File screen path and template

File screen path and template

Editing the File Screen Properties lets us go in and customize the file screen further. With this particular template, the Screening type has been set to Active meaning that users will not be able to copy any file classified as executable into this path. (Note: this applies to everyone… even users with Administrator rights. If you’re setting an Active file screen, be really sure that is what you want to do.)

File Screen Properties

File Screen Properties

The E-mail Message tab lets you set a customized message that can be sent to the user (and a server administrator if you desire) that is trying to copy the screened file to the file server. Like Quotas, I highly recommend translating this into something your end users will understand; the built-in messages don’t always make sense to end users.

E-mail message tab

E-mail message tab

I also recommend leaving the e-mail notifications enabled instead of relying on the built-in error messages that will be generated by Windows on their computers. End users will receive a very basic “Destination Folder Access Denied” error that will tell them “You need permission to perform this action.” If you’re a larger organization, your help desk or frontline support is going to think they’re dealing with a permissions problem unless you’ve provided them with adequate troubleshooting steps and documentation.

Exceptions ^

You’re always going to have those times where the rule that applies to everyone needs an exception. In those situations, File Screening has the ability to crea

Destination Folder Access Denied

Destination Folder Access Denied

te exceptions for sub-folders. In the FSRM administrative tool, highlight the file screen you want to modify and then click Create File Screen Exception.

Create File Screen Exception

Create File Screen Exception

Choose your Exception path, choose the file group that should be excluded for this sub-folder, and then click OK. That’s it!

File Screen Exception - Executable files

File Screen Exception - Executable files

File Groups ^

The pre-defined File Groups that are built-in to FSRM are… lacking to say the least. In my earlier example, I blocked executable files from user folders on the file server. The problem is that this also blocked .ps1 (PowerShell scripts), .js (JavaScript), and .vbs (VB scripts) from user folders. Oops, huh? If you have any sysadmins or web developers using those folders, you’ve got a problem. Let’s take another file group: Audio and Video Files. First off, why are these together and not two separate groups? Second, there are several file types missing. The most glaring are .m4a and .m4v files that are used by iTunes. Oops again.

Pre-defined File Groups in FSRM

Pre-defined File Groups in FSRM

Needless to say, you’ll probably want to edit the existing File Groups or even create your own that fit your organization’s needs.

File Content ^

There’s one last gotcha you’ll want to know about File Screening. File Screening only looks at the name of the file and not the content of the file. So, if you block “Audio and Video Files,” File Screening won’t block .mp3 files that have their extension changed to something else. Honestly, I’ve never encountered someone that did this to circumvent File Screening, but it is still something you’ll want to be aware of before you implement File Screening.

In my next post I will cover storage reports.

7 Comments
  1. Michael 5 years ago

    the only real problem with file screening is the fact that you cannot setup multiple screens for the same path. for instance. I have all my users home folders on the same drive. I setup a screen to passively watch that drive for .mp3 files. now I want to set up an active screen to block .pst files but I can't cause the passive file screen is already in place.

    • ioannis (Rank: 1)
      1 year ago

      i know it is an old post , but still on top in google searches.The same way i got here.So i think a comment would be appropriate.

      I had the same Problem.I wanted to have both an active and a passive filescreen on a drive.As a work around since you are not permitted to use the same path e.g "d:\" on the file screen properties, you can take advantage of absolute paths.

      For example setting the passive filescreen on "d:\users" and the active on "d:\" .BUT i cannot guarantee how much (if any) disk overhead will bring this.

       

  2. Andrew Sendelbach 5 years ago

    Any idea what permissions are required to manage the File screening on a server?

    We currently have a Help Desk technician with Administrator access to the primary file server in order to add File screening exceptions.  Obviously, this is not ideal.

    • Author

      I'm fairly certain you have to be a local Administrator, but you're welcome to play around with it and see if you can make it work without that high level of rights.

      That said, you either trust your employees or you don't.  If you don't a Help Desk tech with local Administrator, then you don't trust them and a Level 2 or 3 engineer should be managing it.

  3. Ben 3 years ago

    Any ideas of how many file screen rules can be created?

  4. Manas Dash 3 years ago

    How to open FSRM window from Run or Command line ?

  5. Anand Dhouni 7 months ago

    Sir 

    We are getting following error when trying to add file screen to a folder 

    " Can't create file screen in the given path as a file screen already exist for that path"

    But in FSRM list this path is not showing 

    Please guide 

     

    Regards,

    Anand Dhouni 

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account