Windows Server 2003 introduced AD object quotas to limit the number of objects users or group members can create in an AD naming context or directory partition (except the schema partition). Tombstone objects count toward the quota until the tombstone expires (60 days, by default). Quotas were introduced to prevent Denial of Service (DoS) attacks by stopping users from creating objects until the domain controller (DC) ran out of storage space.
You manage quotas by using the DSADD, DSMOD, and DSQUERY commands with the quota switch. To create a new quota (e.g., a 20-object quota for email@example.com in the savilltech.net partition), you would use the following command:
desc “Barry 20 object limit”<br>
The quota entry is stored in the partition’s NTDS Quotas container, which is where you query to view the quota. To view Barry’s quota entry, you would use the command:
To view all quotas, use DSQUERY and pipe the output (which would be distinguished names of quota entries) to DSGET to get the details. For example, to see all entries with a limit of more than 5, you would use the command
To modify quotas, use the DSMOD command and pass the quota entry DN. For example, to change Barry’s quota to 50 objects, you would use the command:
dsmod succeeded:CN=SAVILLTECH_barry,CN=NTDS Quotas,DC=savilltech,DC=net
To set a partition’s default limit, use the DSMOD command. Use this command with care because it will affect all users. To establish no quota, set the QDEFAULT to -1, as shown in the following command:
dsmod partition (partition) -qdefault (number)
You can also change a partition’s QTMBSTNWT value (which is the weight tombstone objects have from 0 to 100). So, setting the QTMBSTNWT value to 50 would mean a tombstone object would only use half the quota of a normal object.