Finding a User's Quota
If you implement quotas, users will undoubtedly want to be able to find how much of their quota they've used. You can determine a user's quota usage in several ways. One method is to use the Dsget User command:
dsget user "<UserDN>"
-part <PartitionDN>
-qlimit -qused
This command displays the effective quota limit and how much of his or her quota a particular user has used. For example, the following command returns the quota usage for the cn=rallen user in the dc=rallencorp,dc=com partition:
dsget user "cn=rallen,
cn=users,dc=rallencorp,dc=com"
-part "dc=rallencorp,dc=com"
-qlimit -qused
You can use similar parameters with the Dsget Computer and Dsget Group commands to find the quota usage for those types of objects.
Users can also determine their quota usage by querying the msDS-QuotaUsed and msDS-QuotaEffective attributes on the NTDS Quotas container for a partition. These two attributes are constructed, which means the attributes are dynamically calculated based on the user who's accessing them. The msDS-QuotaUsed attribute returns how much of the quota the user has used, and the msDS-QuotaEffective attribute contains the effective quota limit based on all applied quotas.
If you want to know which users in a partition are creating the most objects, you can view the msDS-TopQuotaUsage attribute on the partition's NTDS Quotas container, which returns information about the users with the top quota usage. Each value of this multivalued attribute contains blocks of data formatted in XML-like language. Each block includes the SID of the security principal (<ownerSID>), the total number of objects the principal has created (<quotaUsed>), the number of tombstone objects (<tombstonedCount>), and the number of active objects (<liveCount>). Figure 1 shows an example of the information the attribute can contain.
As you can see, the account name of the security principal isn't identified in the XML code. The code returns only the SID of the account. If you want to translate the SID to a user or group name, you can use the SidToName utility, which you can download from http://www.joeware.net/win32/index.html.
Implementing Quotas
Quotas are a new Windows 2003 AD feature that let you limit the number of objects users create in a partition. You can set default quota limits for all security principals in a domain to prevent malicious users from filling the hard disks on your DCs. Be sure to think through and thoroughly test any quotas in a test domain before you put them into production. Currently, you must use the DS command-line utilities to manage quotas. Perhaps in the near future, Microsoft will simplify quota management by integrating it into the AD MMC snap-ins.