|
You want to limit the number of objects a security principal can create in a partition by creating a quota.
> dsadd quota -part <PartitionDN> -qlimit <QuotaLimit> -acct <PrincipalName>[RETURN]
[-rdn <QuotaName>]
The following command creates a quota specification that allows the RALLENCORP\rallen user to create only 5 objects in the dc=rallencorp,dc=com partition:
> dsadd quota -part dc=rallencorp,dc=com -qlimit 5 -acct RALLENCORP\rallen
Quotas are a new feature in Windows Server 2003 that allow an administrator to limit the number of objects that a user (or group of users) can create. This is similar in nature to the quota for creating computer objects found in Windows 2000 (see Recipe 8.9 for more details), except the quotas in Windows Server 2003 apply to the creation of all object types.
There are three things that need to be set when creating a quota specification, including:
Currently, quotas can apply only to an entire partition. You cannot create a quota that pertains only to a subtree in a partition. You can create quotas for any partition, including application partitions, except for the schema-naming context. The reasoning behind this restriction is that the schema is a highly protected area of the directory and you shouldn't need to restrict how many objects get created there.
A quota can be defined for any type of security principal. The msDS-QuotaTrustee attribute on the quota object stores the target principal in the form of a SID.
This determines how many objects the target security principal can create.
The quota limit is a combination of the new objects that a user creates plus any tombstone objects that are created by that user. If a user creates an object and then deletes another object, that would count as 2 toward any quotas that apply to the user. This is because when an object is deleted, a tombstone object is created in its place, which counts as another object creation. If a user creates an object and later deletes the same object, this would count as only 1 object against their quota. After the tombstone object is removed from Active Directory (60 days by default), the user's quota would be decremented. By default, a tombstone object counts as 1 object, but that is configurable. See Recipe 15.15 for more on changing the tombstone quota factor.
Since quotas can be assigned to users, groups, or computers, it is conceivable that multiple quotas may apply to a user. In this case, the quota with the highest limit will be in force for the user. You can also create a default quota for a partition that applies to all security principals. See Recipe 15.16 for more information on configuring the default quota.
|
Recipe 8.9 for more on the computer object quota, Introduction in Chapter 15 for more on the attributes of quota objects, Recipe 15.14 for finding the quotas assigned to a security principal, Recipe 15.15 for changing the tombstone quota factor, and Recipe 15.16 for setting a default quota