Recipe 15.17 Finding the Quota Usage for a Security Principal

This recipe requires a Windows Server 2003 domain controller.

15.17.1 Problem

You want to find the quota usage for a certain security principal.

15.17.2 Solution

The quota usage of a security principal can be determined a few different ways. First, you can use the dsget command. Here is an example:

> dsget user "<UserDN>" -part <PartitionDN> -qlimit -qused

This displays the effective quota limit and how much quota has been used for a particular user. You can use similar parameters with dsget computer and dsget group to find the quota usage for those types of objects.

Users can find their own quota usage by querying the msDs-QuotaUsed and msDs-QuotaEffective attributes on the cn=NTDS Quotas container for a partition. These two attributes are constructed, which means they are dynamically calculated based on the user that is accessing them (see Recipe 10.15 for more on constructed attributes). The msDs-QuotaUsed attribute returns how much of the quota has been used by the user and the msDs-QuotaEffective attribute contains the quota limit.

Alternatively, view the msDs-TopQuotaUsage attribute on a partition's cn=NTDS Quotas container, which contains the user's with the top quota usage. This attribute is multi-valued, with each value being XML-like text that contains the SID and how much of the quota the principal has used. See the Discussion section for an example.

15.17.3 Discussion

If you implement quotas, you'll certainly need to tell users what their quotas are (or provide instructions on how they can find out for themselves). Currently, there are a few ways to determine quota usage as outlined in the Solution section.

Perhaps the most interesting is obtaining the top-quota usage. Each value of the msDs-TopQuotaUsage attribute contains an entry that details someone that has high-quota usage (at the time of publication of this book, it was unknown exactly what "high" constituted). Each value of the msDs-TopQuotaUsage attribute contains blocks of data formatted in XML-like language. Each block has the SID of the security principal (<ownerSID>), quota used (<quotaUsed>), number of tombstone objects created (<tombstonedCount>) and the number of objects that are still active (<liveCount>) (i.e., not tombstoned). Here is an example of what the attribute can contain:

>> Dn: CN=NTDS Quotas,DC=rallencorp,DC=com
        3> msDS-TopQuotaUsage: 
        <partitionDN> DC=rallencorp,DC=com </partitionDN>
        <ownerSID> S-1-5-21-1422208173-2062366415-1864960452-512 </ownerSID>
        <quotaUsed> 152 </quotaUsed>
        <tombstonedCount> 2 </tombstonedCount>
        <liveCount> 150 </liveCount>
        <partitionDN> DC=rallencorp,DC=com </partitionDN>
        <ownerSID> S-1-5-18 </ownerSID>
        <quotaUsed> 43 </quotaUsed>
        <tombstonedCount> 32 </tombstonedCount>
        <liveCount> 11 </liveCount>
        <partitionDN> DC=rallencorp,DC=com </partitionDN>
        <ownerSID> S-1-5-32-544 </ownerSID>
        <quotaUsed> 14 </quotaUsed>
        <tombstonedCount> 0 </tombstonedCount>
        <liveCount> 14 </liveCount>

15.17.4 See Also

Recipe 15.14 for more on finding the quotas assigned to a security principal

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List