William Stanek - Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

8.Use the Type list to specify whether you are configuring auditing for success, failure, or both, and then specify which actions should be audited. Success logs successful events, such as a successful attempt to modify an object’s permissions. Failed logs failed events, such as a failed attempt to modify an object’s owner.

9.Tap or click OK. Repeat this process to audit other users, groups, or computers.

Windows Server 2012 R2 supports two mutually exclusive types of disk quotas:

■ NTFS disk quotasNTFS disk quotas are supported on all editions of Windows Server 2012 R2 and enable you to manage disk space usage by users. You configure quotas on a per-volume basis. Although users who exceed limits get warnings, administrators are notified primarily through the event logs.

■ Resource Manager disk quotasResource Manager disk quotas are supported on all editions of Windows Server 2012 R2, allowing you to manage disk space usage by folder, by file type, and by volume. Users who are approaching or have exceeded a limit can be automatically notified by email. The notification system also allows for notifying administrators by email, triggering incident reporting, running commands, and logging related events.

The sections that follow discuss NTFS disk quotas.

NOTE Regardless of the quota system being used, you can configure quotas only for NTFS volumes. You can’t create quotas for FAT, FAT32, or ReFS volumes.

REAL WORLD When you apply disk quotas, you need to be particularly careful in the way you enforce quotas, especially with respect to system accounts, service accounts, or other special purpose accounts. Improper application of disk quotas to these types of accounts can cause serious problems that are difficult to diagnose and resolve. enforcing quotas on the System, NetworkService, and LocalService accounts could prevent the computer from completing important operating system tasks. As an example, if these accounts reach their enforced quota limit, you would not be able to apply changes to Group Policy because the Group Policy client runs within a LocalSystem context by default and would not be able to write to the system disk. If the service can’t write to the system disk, Group Policy changes cannot be made, and being unable to change Group Policy could have all sorts of unexpected consequences because you would be stuck with the previously configured settings. For example, you would be unable to disable or modify the quota settings through Group Policy.

In this scenario, where service contexts have reached an enforced quota limit, any other configuration settings that use these service contexts and require making changes to files on disk would likely also fail. For example, you would be unable to complete the installation or removal of roles, role services, and features. This would leave the server in a state in which Server Manager always includes a warning that you need to restart the computer to complete configuration tasks, but restarting the computer would not resolve these issues.

To address this problem, you need to edit the disk quota entries for the system disk, raise the enforced limits on the service accounts, and then restart the computer. Restarting the computer triggers the finalization tasks and enables the computer to complete any configuration tasks stuck in a pending status. Because the Group Policy client service could process changes and write them to the system disk, changes to Group Policy would then be applied as well.

Administrators use NTFS disk quotas to manage disk space usage for critical volumes, such as those that provide corporate data shares or user data shares. When you enable NTFS disk quotas, you can configure two values:

■ Disk quota limitSets the upper boundary for space usage, which you can use to prevent users from writing additional information to a volume, to log events regarding the user exceeding the limit, or both.

■ Disk quota warningWarns users and logs warning events when users are

getting close to their disk quota limit.

TIP You can set disk quotas but not enforce them, and you might be wondering why you’d want to do this. Sometimes you want to track disk space usage on a per-user basis and know when users have exceeded some predefined limit, but instead of denying them additional disk space, you log an event in the application log to track the overage. You can then send out warning messages or figure out other ways to reduce the space usage.

NTFS disk quotas apply only to end users and not to administrators. Administrators can’t be denied disk space even if they exceed enforced disk quota limits.

In a typical environment, you restrict disk space usage in megabytes (MB) or gigabytes (GB). For example, on a corporate data share used by multiple users in a department, you might want to limit disk space usage from 20 to 100 GB. For a user data share, you might want to set the level much lower, such as from 5 to 20 GB, which restricts the user from creating large amounts of personal data. Often you’ll set the disk quota warning as a percentage of the disk quota limit. For example, you might set the warning from 90 to 95 percent of the disk quota limit.

Because NTFS disk quotas are tracked on a per-volume, per-user basis, disk space used by one user doesn’t affect the disk quotas for other users. Thus, if one user exceeds his limit, any restrictions applied to this user don’t apply to other users. For example, if a user exceeds a 5-GB disk quota limit and the volume is configured to prevent writing over the limit, the user can no longer write data to the volume. Users can, however, remove files and folders from the volume to free up disk space. They can also move files and folders to a compressed area on the volume, which might free up space, or they can elect to compress the files themselves. Moving files to a different location on the volume doesn’t affect the quota restriction. The amount of file space is the same unless the user moves uncompressed files and folders to a folder with compression. In any case, the restriction on a single user doesn’t affect other users’ ability to write to the volume (as long as there’s free space on the volume).

You can enable NTFS disk quotas on the following:

■ Local volumesTo manage disk quotas on local volumes, you work with the local disk itself. When you enable disk quotas on a local volume, the Windows system files are included in the volume usage for the user who installed those files. Sometimes this might cause the user to go over the disk quota limit so to prevent this, you might want to set a higher limit on a local workstation volume.

■ Remote volumesTo manage disk quotas on remote volumes, you must share the root directory for the volume, and then set the disk quota on the volume. Remember, you set quotas on a per-volume basis, so if a remote file server has separate volumes for different types of data-that is, a corporate data volume and a user data volume-these volumes have different quotas.

Only members of the Domain Admins group or the local system Administrators group can configure disk quotas. The first step in using quotas is to enable quotas in Group Policy, which you can do at two levels:

■ LocalThrough local Group Policy, you can enable disk quotas for an individual computer.