What are Active Directory (AD) object quotas?
December 4, 2007
A. Windows Server 2003 introduced AD object quotas to limit the number of objects users or group members can create in an AD naming context or directory partition (except the schema partition). Tombstone objects count toward the quota until the tombstone expires (60 days, by default). Quotas were introduced to prevent Denial of Service (DoS) attacks by stopping users from creating objects until the domain controller (DC) ran out of storage space.
You manage quotas by using the DSADD, DSMOD, and DSQUERY commands with the quota switch. To create a new quota (e.g., a 20-object quota for [email protected] in the savilltech.net partition), you would use the following command:
dsadd quota -part DC=savilltech,DC=net -acct [email protected] -qlimit 20 -
desc "Barry 20 object limit"
dsadd succeeded:DC=savilltech,DC=net
The quota entry is stored in the partition’s NTDS Quotas container, which is where you query to view the quota. To view Barry's quota entry, you would use the command:
dsget quota -acct -qlimit "CN=SAVILLTECH_barry,CN=NTDS Quotas,
DC=savilltech,DC=net"
acct qlimit
SAVILLTECHbarry 20
dsget succeeded
To view all quotas, use DSQUERY and pipe the output (which would be distinguished names of quota entries) to DSGET to get the details. For example, to see all entries with a limit of more than 5, you would use the command
Userssavadmin>dsquery quota domainroot -qlimit ">=5" | dsget quota -acct -
qlimit
acct qlimit
SAVILLTECHbarry 20
dsget succeeded
To modify quotas, use the DSMOD command and pass the quota entry DN. For example, to change Barry’s quota to 50 objects, you would use the command:
dsmod quota "CN=SAVILLTECH_barry,CN=NTDS Quotas,DC=savilltech,DC=net" -qlimit 50
dsmod succeeded:CN=SAVILLTECH_barry,CN=NTDS Quotas,DC=savilltech,DC=net
To set a partition’s default limit, use the DSMOD command. Use this command with care because it will affect all users. To establish no quota, set the QDEFAULT to -1, as shown in the following command:
dsmod partition (partition) -qdefault (number)
You can also change a partition’s QTMBSTNWT value (which is the weight tombstone objects have from 0 to 100). So, setting the QTMBSTNWT value to 50 would mean a tombstone object would only use half the quota of a normal object.
About the Author
You May Also Like