Active directory quota

Windows Server 2003 introduced AD object quotas to limit the number of objects users or group members can create in an AD.You can use Active Directory (AD)and Active Directory Domain Services (AD DS) to implement limitations on the number of objects that a security principal (user,computer,group) can create in a directory node to prevent an attack against Active Directory(if there is no limit,can create object until the NTDS.dit run out of space).

You can specify quotas for security principals on each directory partition. These partitions include application partitions, domain partitions, and configuration partitions except Schema partitions also Domain Admins and Enterprise Admins groups are also exempt from quota limitations.

Quota objects are stored in the NTDS Quotas container under the domain, application, and configuration naming contexts. To view the NTDS Quotas container in the Active Directory Users and Computers snap-in, you must enable Advanced Features on the View menu.
The NTDS Quotas container is of the object class msDS-QuotaContainer.

Creating quotas
dsadd quota -part dc=example,dc=com -qlimit 10 -acct cn=admin,ou=it,dc=example,dc=com

Means user admin is limited to creating 10 objects in the directory partition

Determining quota limits
dsget user cn=admin,ou=it,dc=example,dc=com –part dc=example,dc=com –qlimit –qused

Note:Same parameters can use with the dsget computer and dsget group commands to find the quota limit for those objects.

dsquery quota domainroot -qlimit “>=10” | dsget quota -acct -qlimit

It means entries with a limit of more than 10

Modify Quotas
dsmod quota “CN=it,CN=NTDS Quotas,DC=example,DC=com” -qlimit 50

2003 AD quota table integrity check

Reboot the domain controller in Directory Restore Services Mode (DRSM)
Type ntdsutil in command window
Type semantic database analysis, and ENTER
Type check quota, and ENTER

2008 AD quota table integrity check

first need to Stop the Active Directory database process
Type net stop ntds, and ENTER at the command prompt
Type ntdsutil, and ENTER
Type activate instance NTDS, and ENTER
Type semantic database analysis, and ENTER
Type check quota, and ENTER


Posted on February 24, 2012, in Uncategorized, Windows. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: