Recipe 15.16 Setting the Default Quota for All Security Principals in a Partition

This recipe requires a Windows Server 2003 domain controller.

15.16.1 Problem

You want to set a default quota for all security principals.

15.16.2 Solution

15.16.2.1 Using a graphical user interface
  1. Open ADSI Edit.

  2. Connect to the partition you want to modify (has to be done on a per partition basis).

  3. In the left pane, expand the root of the partition.

  4. Right-click on cn=NTDS Quotas and select Properties.

  5. Set the msDS-DefaultQuota attribute to the number objects that security principals should be allowed to create if they are not assigned another quota.

  6. Click OK.

15.16.2.2 Using a command-line interface

Create an LDIF file called set_default_quota.ldf with the following contents:

dn: cn=NTDS Quotas,<PartitionDN>
changetype: modify
replace: msDs-DefaultQuota
msDs-DefaultQuota: <NumberOfObjects>
-

then run the following command:

> ldifde -v -i -f set_default_quota.ldf
15.16.2.3 Using VBScript
' This code sets the default quota for the specified partition
' ------ SCRIPT CONFIGURATION ------
strPartitionDN = "<PartitionDN>"        ' e.g. dc=rallencorp,dc=com
intDefaultQuota = <NumberOfObjects>     ' e.g. 10
' ------ END CONFIGURATION ---------

set objPart = GetObject("LDAP://cn=NTDS Quotas," & strPartitionDN )
objPart.Put "msDs-DefaultQuota", intDefaultQuota
objPart.SetInfo
WScript.Echo "Set the default quota for " & _
             strPartitionDN & " to " & intDefaultQuota

15.16.3 Discussion

The easiest way to apply a default quota to all of your users is to modify the msDS-DefaultQuota attribute on the NTDS Quotas container for the target partition. This attribute contains the default quota limit that is used if no other quotas have been assigned to a security principal.

You should be careful when setting the default quota because it applies to every non-administrator security principal. If you set the default to 0, for example, computers would not be able to dynamically update their DNS records in an AD-integrated zone because that creates an object. This may not be applicable in your environment, but the point is that you need to consider the impact of the default quota and test it thoroughly before implementing it.



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List