Recipe 15.13 Creating a Quota

This recipe requires a Windows Server 2003 domain controller.

15.13.1 Problem

You want to limit the number of objects a security principal can create in a partition by creating a quota.

15.13.2 Solution

15.13.2.1 Using a command-line interface
> dsadd quota -part <PartitionDN> -qlimit <QuotaLimit> -acct <PrincipalName>[RETURN]
  [-rdn <QuotaName>]

The following command creates a quota specification that allows the RALLENCORP\rallen user to create only 5 objects in the dc=rallencorp,dc=com partition:

> dsadd quota -part dc=rallencorp,dc=com -qlimit 5 -acct RALLENCORP\rallen

15.13.3 Discussion

Quotas are a new feature in Windows Server 2003 that allow an administrator to limit the number of objects that a user (or group of users) can create. This is similar in nature to the quota for creating computer objects found in Windows 2000 (see Recipe 8.9 for more details), except the quotas in Windows Server 2003 apply to the creation of all object types.

There are three things that need to be set when creating a quota specification, including:

Partition

Currently, quotas can apply only to an entire partition. You cannot create a quota that pertains only to a subtree in a partition. You can create quotas for any partition, including application partitions, except for the schema-naming context. The reasoning behind this restriction is that the schema is a highly protected area of the directory and you shouldn't need to restrict how many objects get created there.

Target security principal

A quota can be defined for any type of security principal. The msDS-QuotaTrustee attribute on the quota object stores the target principal in the form of a SID.

Limit

This determines how many objects the target security principal can create.

The quota limit is a combination of the new objects that a user creates plus any tombstone objects that are created by that user. If a user creates an object and then deletes another object, that would count as 2 toward any quotas that apply to the user. This is because when an object is deleted, a tombstone object is created in its place, which counts as another object creation. If a user creates an object and later deletes the same object, this would count as only 1 object against their quota. After the tombstone object is removed from Active Directory (60 days by default), the user's quota would be decremented. By default, a tombstone object counts as 1 object, but that is configurable. See Recipe 15.15 for more on changing the tombstone quota factor.

Since quotas can be assigned to users, groups, or computers, it is conceivable that multiple quotas may apply to a user. In this case, the quota with the highest limit will be in force for the user. You can also create a default quota for a partition that applies to all security principals. See Recipe 15.16 for more information on configuring the default quota.

Quotas do not apply to members of the Enterprise Admins and Domain Admins groups. Even if you've configured a default quota for all users, members of those administrative groups will not have any restrictions.

15.13.4 See Also

Recipe 8.9 for more on the computer object quota, Introduction in Chapter 15 for more on the attributes of quota objects, Recipe 15.14 for finding the quotas assigned to a security principal, Recipe 15.15 for changing the tombstone quota factor, and Recipe 15.16 for setting a default quota



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List