About: Active Directory Integration - SmartColumns and Quota Notifications

Introduction

Northern Storage Suite offers a strong integration with Active Directory. The suite integrates with AD in order to provide a number of different features, but the main application of this integration is within the dynamic configuration of quota threshold notifications and the SmartColumn feature of the quota component.

Very powerful solutions can be achieved through NSS' AD integration. For example NSS can be configured to identify the user associated with a quota, collect a property from that user account, such as 'department' or 'physicaldeliveryofficename', and display this as a label in the quota client - allowing administrators to create custom views that only show quota belonging to users from the Engineering department or only users who work out of the Singapore office for example.

More advanced scenarios where this integration can be applied could include parsing the 'Notes' properties of quota owners and then collecting the mail address of any user who shows a specific string - configure a quota notification to be sent to a user who has 'salesdepartmentquotaowner' in this notes section and have quota notifications dynamically adjusted as responsibility for the quota changes hands.

This article details the variables pre-configured in NSS, it also describes the different methods of creating custom AD queries. Note that in order to query Active Directory the Quota Server service must have sufficient rights to read the AD structure.

Pre-configured Variables

Northern Storage Suite includes a number of pre-configured AD queries that can be used to populate notification email addresses and quota SmartColumns. These queries are broken into two parts, the first is the identification of the correct user account, the second is the collection of the specified property.

NSS' pre-configured queries offer two methods for the identification of the user account: using the name of the quota target directory (referred to as %ADUser), using the account that the quota is set on (referred to as %ADAccount).

%ADUser variables

These variables us the name of the quota target, the name of the last directory in the quota path, in order to identify the user account for which properties should be retrieved; they identify the account with a sAMAccountName that matches the name of the last directory in the quota path. 

%ADGetUserMail

Returns the 'mail' property.

%ADUserCommonName 

Returns the 'cn' property.

%ADUserDepartment

Returns the 'department' property.

%ADUserDisplayName

Returns the 'displayName' property.

%ADUserPhone

Returns 'telephoneNumber' property.


%ADAccount variables

These variables should only be used with quotas that are set on individual user accounts; quotas set to control the space that can be consumed by jane.doe within the shared folder \\server\departments\share\. These variables retrieve properties for the account upon which the quota is set

%ADAccountMail

Returns the 'mail' property.

%ADAccountCommonName 

Returns the 'cn' property.

%ADAccountDepartment

Returns the 'department' property.

%ADAccountDisplayName

Returns the 'displayName' property.

%ADAccountPhone

Returns 'telephoneNumber' property.

l

Custom Queries - Simplified

In order to simplify the process of making custom AD queries NSS offers a simplified syntax referred to as ADProperty. In a true LDAP query advanced syntax is used (which is covered below) but, through the use of this ADProperty feature much of this complication (and some of the flexibility) is removed.

Simplified custom queries are achieved by inserting the following syntax into the email notification or SmartColumn fields:

%ADProperty[query account][return attribute]

Where:
query account = the account from which properties should be collected
return attribute = the attribute that should be collected

Defining the 'Query Account'

Variables are used to define the 'account' parameter of the query. The different variables available are as follows:

%USER
This variable will look at the last directory in the quota path. In a case where the quota path is "\\NSS-Srv\Users\john.doe" then %USER will return "john.doe".

%USER$
Similar to the variable %USER, but trimming any trailing '$' from the quota path . This variable should be used when the quota path is in the form "\\NSS-Srv\Users\jane.doe$". For the quota path "\\NSS-Srv\Users\jane.doe$" then %USER$ will return "jane.doe".

%ACCOUNT
To be used in the case of account-specific quotas. This variable will be replaced with the value in the Account column specified for the Quota. For example if the quota is set on "\\NSS-Srv\Users\jane.doe$" with the account set to "jane.doe" then the variable %ACCOUNT will return "jane.doe". Note that if the quota has the account 'Everyone' associated to it then "Everyone" will be returned.

%OWNER
To be used when quota targets are owned by the user or share admin who should receive notifications. Where the quota path  "\\NSS-Srv\Projects\projectA" is owned by "john.smith" then %owner will return "john.smith".

%SHAREREMARKS
This variable will retrieve the exact string entered into the Share Remarks or description field. Where the quota path  "\\NSS-Srv\Projects\projectA" has the Remark/Description field populated as "jane.smith" then %shareremarks will return "jane.smith".

Defining the 'Return Attribute'
Any account attribute can be returned from Active Directory. Most commonly properties that are stored as Unicode strings are used, such as 'mail', 'department', 'postalCode', 'employeeID'. Regardless of the syntax in which the property is stored, it will always be displayed as a string in the quota client.

A low level AD editor such as ADSI Edit (adsiedit.msc) can be used to identify the correct attribute name to be used.

ADSI Edit window

Examples of Simplified Custom Queries

%ADProperty[%user][mail] = used for a quota set on the path "\\NSS-Srv\Users\jane.doe" will query Active Directory and return the mail attribute for the user account jane.doe. An ideal use for this query is in the dynamic configuration of email notifications for quota thresholds.

%ADProperty[%user][department] = used for a quota set on the path "\\NSS-Srv\Users\jane.doe" will query Active Directory and return the department attribute for the user account jane.doe. This query can be used to label quotas and allow view filtering in the quota server client.

%ADProperty[%owner][mail] = used for a quota set on the path "\\NSS-Srv\Projects\projectA" which is owned by "john.smith" will query Active Directory for the mail attribute of the account "john.smith". 

Custom Queries - Advanced

LDAP queries can be used to achieve very specific, and advanced, effects. The LDAP query must be inserted between square brackets, pre-pended by the key %adsearch. A second pair of square brackets defines the attribute that should be returned (in the same way as simplified queries above).

Advanced custom queries are entered as follows:

%adsearch[(&(objectClass=query object class)(name=*)(query attribute=match string))][return attribute]

Where:
query object class = the class of object that should be queried
query attribute = the AD attribute in the object class that should be queried
match string = the string which should be matched in the query attribute
return attribute = the attribute that should be retrieved

Defining the 'Query Object Class'

This value should be set to the relevant AD object class. In almost all cases this will be 'user'; the query will be configured to look for a property of a user account.

Defining the 'Query Attribute'

This should be a hard-coded value to define the attribute that should be queried. Typical use cases would include 'sAMAccount', 'profilePath' or 'employeeID'.

Defining the 'Match String'

Here the same variables can be used as in simplified queries; %User, %Account, etc. Additionally hard-coded values can be used.

Defining the 'Return Attribute'

As with the simplified query syntax, any AD attribute can be returned. Regardless of the syntax in which the property is stored in AD, it will always be displayed as a string in the quota client. 

Examples of Advanced Custom Queries

%adsearch[(&(objectClass=user)(name=*)(sAMAccount=%User))][mail] = this query will simply match identify a user account where the sAMAccount property matches the name of the last directory in the quota and then return the email address for that user. This example is the same as the first simplified query example, as an example of how the two syntaxes relate to one another.

%adsearch[(&(objectClass=user)(name=*)(info=Shared Drive X owner))][mail] = used with a quota that is set on the underlying 'Shared Drive X' share, this query will return the email address of the user that has the string "Shared Drive X owner" in the Notes attribute of their user account. If multiple users have this string then it will return the first one found. This is a method for linking quota admins with share admins defined in AD.

ADDITIONAL RESOURCES

  • KB2841 About: Configuring Email Addresses for Quota Notifications
  • KB Article: 2848

    Updated: 12/8/2016

    • Category
      • Concept
    • Affected versions
      • NSS 9.0
      • NSS 9.5
      • NSS 9.6
      • NSS 9.7
      • NSS 9.8

    North America HQ

    NORTHERN Parklife, Inc.
    301Edgewater Place, Suite 100
    Wakefield, MA 01880
    USA

    Voice: 781.968.5424
    Fax: 781.968.5301

    salesUS@northern.net

     

    Additional Contact Information

    EMEA & APAC HQ

    NORTHERN Parklife AB
    St. Göransgatan 66
    112 33 Stockholm
    Sweden

    Voice: +46 8 457 50 00

    salesHQ@northern.net

    Northern Parklife



    ©2018 northern parklife

    privacy statement 
    terms of use