15.14. Finding the Quotas Assigned to a Security Principal
Tip
This recipe requires a Windows Server 2003 domain controller.
Problem
You want to find the quotas that have been configured for a security principal (i.e., user, group, or computer).
Solution
Using a command-line interface
> dsquery quota -part <PartitionDN
> -acct <PrincipalName
>
The following command searches for quotas that have been assigned to
the RALLENCORP\rallen
user in the dc=rallencorp,dc=com partition:
> dsquery quota -part dc=rallencorp,dc=com -acct RALLENCORP\rallen
Discussion
The dsquery
solution will find only quotas that have been directly
assigned to a security principal. The
msDS-QuotaTrustee
attribute on quota
objects defines a SID that the quota applies to. The dsquery quota
command will look up the SID for the specified
account and match that against quota objects that reference that SID.
Unfortunately, this doesn’t quite show the whole
picture. A user could have a quota assigned directly, which the
dsquery
command would show, but the user could
also be part of one or more groups that have quotas assigned. These
won’t show up using dsquery
.
A more robust solution would entail retrieving the
tokenGroups
attribute of the user, which contains
a list of SIDs for all expanded group memberships, and then querying
each of those groups to determine whether any of them have quotas
assigned. This is actually the type of algorithm that
is used to
determine a user’s effective quota, as shown in
Recipe 15.17.
See Also
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.