Windows File Server is one of the most common workloads on Windows Server, providing centralized file storage with SMB (Server Message Block) shares. This guide covers setting up a production file server with proper permissions, quotas, auditing, and DFS for high availability on your Windows Server VPS.
Install File Server Role
# Install File Server features
Install-WindowsFeature -Name FS-FileServer, FS-Resource-Manager, FS-DFS-Namespace, FS-DFS-Replication -IncludeManagementTools
# Verify installation
Get-WindowsFeature FS-*Create Data Disk Structure
# Initialize and format a data disk (if you have a second disk)
Get-Disk | Where-Object PartitionStyle -eq "RAW" | `
Initialize-Disk -PartitionStyle GPT -PassThru | `
New-Partition -UseMaximumSize -DriveLetter D | `
Format-Volume -FileSystem ReFS -NewFileSystemLabel "Data" -Confirm:$false
# Create share folder structure
$folders = @(
"D:\Shares\Company",
"D:\Shares\Company\Finance",
"D:\Shares\Company\HR",
"D:\Shares\Company\Engineering",
"D:\Shares\Company\Marketing",
"D:\Shares\Shared",
"D:\Shares\Home"
)
foreach ($folder in $folders) {
New-Item -ItemType Directory -Path $folder -Force
}Create SMB Shares with Permissions
# Create department share
New-SmbShare -Name "Finance" `
-Path "D:\Shares\Company\Finance" `
-Description "Finance Department Files" `
-FullAccess "CORP\Domain Admins" `
-ChangeAccess "CORP\Finance Team" `
-ReadAccess "CORP\Finance Auditors" `
-FolderEnumerationMode AccessBased `
-CachingMode None `
-EncryptData $true
# Create shared company drive
New-SmbShare -Name "Shared" `
-Path "D:\Shares\Shared" `
-Description "Company Shared Files" `
-FullAccess "CORP\Domain Admins" `
-ChangeAccess "CORP\Domain Users" `
-FolderEnumerationMode AccessBased
# Set NTFS permissions (more granular than share permissions)
$Acl = Get-Acl "D:\Shares\Company\Finance"
# Remove inheritance
$Acl.SetAccessRuleProtection($true, $false)
# Add explicit permissions
$Rules = @(
@("CORP\Domain Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"),
@("CORP\Finance Team", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow"),
@("CORP\Finance Auditors", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow"),
@("BUILTIN\Administrators", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
)
foreach ($Rule in $Rules) {
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Rule)
$Acl.AddAccessRule($AccessRule)
}
Set-Acl "D:\Shares\Company\Finance" $AclConfigure FSRM Quotas
# Create quota templates
New-FsrmQuotaTemplate -Name "Department 50GB" `
-Size 50GB `
-SoftLimit `
-Threshold @(
New-FsrmQuotaThreshold -Percentage 80 -Action (
New-FsrmAction -Type Email `
-MailTo "[Admin Email]" `
-Subject "Quota Warning: [Quota Path]" `
-Body "The share [Quota Path] has reached [Quota Used Percent]% capacity."
),
New-FsrmQuotaThreshold -Percentage 95 -Action (
New-FsrmAction -Type Email `
-MailTo "[Admin Email],[Source Io Owner Email]" `
-Subject "CRITICAL: Quota nearly full: [Quota Path]" `
-Body "The share [Quota Path] is at [Quota Used Percent]% capacity. [Quota Free Space] remaining."
)
)
# Apply quota to department shares
New-FsrmQuota -Path "D:\Shares\Company\Finance" -Template "Department 50GB"
New-FsrmQuota -Path "D:\Shares\Company\HR" -Template "Department 50GB"
# File screening — block certain file types
New-FsrmFileScreen -Path "D:\Shares\Company" `
-IncludeGroup @("Executable Files", "Video and Audio Files") `
-Active:$trueEnable Auditing
# Enable audit policy
auditpol /set /subcategory:"File System" /success:enable /failure:enable
# Configure SACL on the share folder
$Acl = Get-Acl "D:\Shares\Company"
$AuditRule = New-Object System.Security.AccessControl.FileSystemAuditRule(
"Everyone",
"Delete,DeleteSubdirectoriesAndFiles,WriteData,AppendData",
"ContainerInherit,ObjectInherit",
"None",
"Success,Failure"
)
$Acl.AddAuditRule($AuditRule)
Set-Acl "D:\Shares\Company" $AclShadow Copies (Previous Versions)
# Enable shadow copies on D: drive
vssadmin add shadowstorage /for=D: /on=D: /maxsize=10%
# Create initial shadow copy
vssadmin create shadow /for=D:
# Schedule shadow copies (twice daily)
$Trigger1 = New-ScheduledTaskTrigger -Daily -At "7:00AM"
$Trigger2 = New-ScheduledTaskTrigger -Daily -At "12:00PM"
$Action = New-ScheduledTaskAction -Execute "vssadmin.exe" -Argument "create shadow /for=D:"
Register-ScheduledTask -TaskName "Shadow Copy D:" `
-Trigger @($Trigger1, $Trigger2) `
-Action $Action `
-User "SYSTEM" `
-RunLevel HighestMap Drives via GPO
# In Group Policy Management, create drive mappings
# Or use a logon script:
# logon-script.ps1
$Mappings = @{
"S:" = "\\fileserver\Shared"
"H:" = "\\fileserver\Home\$env:USERNAME"
}
foreach ($Drive in $Mappings.GetEnumerator()) {
if (-not (Test-Path $Drive.Key)) {
New-PSDrive -Name ($Drive.Key -replace ":","") `
-PSProvider FileSystem `
-Root $Drive.Value `
-Persist
}
}Best Practices
- Use NTFS permissions over share permissions: Share permissions are coarse — NTFS provides fine-grained control
- Enable Access-Based Enumeration: Users only see folders they can access
- Configure quotas to prevent any department from filling the disk
- Enable Shadow Copies for self-service file recovery
- Use DFS Namespaces to abstract file server names from share paths
- Audit file access for compliance and security investigations
- Encrypt SMB traffic with
-EncryptData $truefor sensitive shares - Regular backups: Windows Server Backup or third-party solution for disaster recovery