In Active Directory there is a container called NTDS Quotas which is visible in the Active Directory Users and Computers. In this blog post we are going to explore what it is and its use within Active Directory.
If you cannot see this NTDS Quotas container in Active Directory Users and Computers, you need to turn on Advanced Features which can be found in the view menu.
NTDS Quotas limit the amount of objects a security context (such as an Active Directory user object) can create within Active Directory. Why would you want to do this? Say you setup a Level 2 administrator on your network which has basic access to create users and similar objects on your domain. Now if the credentials of this account escaped into the wrong hands, whilst it doesn’t have any significant control over important components of Active Directory it could still be potentially used to take down the network. What do you mean Clint? The ability to create objects in Active Directory with no limit imposed is dangerous, an attacker could create billions of Active Directory objects in Active Directory until the database file NTDS.dit became so large it fills up the disk space on all available domain controllers making the domain completely unavailable.
When creating a user account in Active Directory which has been delegated the permissions to create objects within Active Directory it is best practice to set a quota to limit the number of objects that account can create. This is done using the following command.
dsadd quota -part dc=at,dc=local -qlimit 10 -acct CN=L2admin,CN=Users,DC=at,DC=local
This has created my L2 Admin the ability to create a maximum of 10 objects within Active Directory, any more a senior administrator will need to up his quota limit. It is also important to note that now the quota has been created, we can see that a quota object has been created for that user account in Active Directory under the NDSS Quotas container.
To verify how many objects a user has created from their quota you can use the following command.
dsget user CN=L2admin,CN=Users,DC=at,DC=local -part DC=at,DC=local -qlimit -qused
As you see I have not yet created an account with the L2Admin account I created for this demonstration, so quota used remains at 0.
Important: Domain Admins and Enterprise Admins groups are exempt from quota limitations. If you configure a quota for a Domain Admin or Enterprise Admin, it will not work! All the more reason to limit the number of Domain Admins and always delegate permissions where possible.
Can I create a default quota for all non Domain Admin and Enterprise Admin accounts on my network which have the ability to create objects?
The answer to this is yes! First navigate to the properties of the NTDS Quotas container within Active Directory.